Wired Intelligent Edge

 View Only
  • 1.  Aruba CX 6200 Radius server configuration

    Posted Apr 09, 2024 12:25 PM

    I am trying to get radius authentication working with clearpass nac solution (mac based only). I am using 6200 cx switch managed thru aruba central. 

    It works as expected initially. after few hours or for new client authentication on the same port. I am seeing radius authentication error with the following message in clearpass "Failed to decode RADIUS packet - Received packet from <nas-ip> with invalid Message-Authenticator! (Shared secret may be incorrect.). re adding the radius key under the clearpass "devices tab" seems to mitigate the issue. however it re occurs as soon as we connect new client under same port.   

    Switch configs: 

    radius-server host 10.0.0.1 key ciphertext <XXXXX>
    radius-server host 10.0.0.2 key ciphertext <XXX>
    !
    !
    aaa group server radius cluster_1
        server 10.0.0.1
        server 10.0.0.2
    !
    !
    radius dyn-authorization enable

    aaa configs are applied at interface level too

    Has anyone faced this issue ? I have few sites running fine on AOS-S switch so I am leaning towards Aruba CX switch and central configuration.

    Any suggestions ? I am running 10.13.1005 version 



    ------------------------------
    Thanks,
    AK
    ------------------------------


    ------------------------------
    [Akshay][Vishwas]
    ------------------------------


  • 2.  RE: Aruba CX 6200 Radius server configuration

    Posted Apr 10, 2024 10:25 AM

    You should configure the dynamic authorization secret too and configure your global port configuration accordingly like that:

    radius dyn-authorization client 10.0.0.1 secret-key ...
    radius dyn-authorization client 10.0.0.2 secret-key ...
    !
    aaa authentication port-access mac-auth
        radius server-group cluster_1
        enable




  • 3.  RE: Aruba CX 6200 Radius server configuration

    Posted Apr 18, 2024 11:19 AM

    Thanks Holger.. 

    Issue turned out to be "$" sign included in the radius password. This is specific to Aruba Central Managed CX switches 

    Ak



    ------------------------------
    [Akshay][Vishwas]
    ------------------------------



  • 4.  RE: Aruba CX 6200 Radius server configuration

    Posted Apr 11, 2024 07:53 AM

    Duplicate post!



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------