Cloud Managed Networks

 View Only
last person joined: yesterday 

Forum to discuss all things related to HPE Aruba Networking Central and UXI Network Management, including deployment of managed networks, configuration, best practices, APIs, Cloud Guest, AIOps, Presence Analytics, and other included Applications
Expand all | Collapse all

Aruba CX 6200 Radius server configuration

This thread has been viewed 16 times
  • 1.  Aruba CX 6200 Radius server configuration

    Posted Apr 09, 2024 12:20 PM

    I am trying to get radius authentication working with clearpass nac solution (mac based only). I am using 6200 cx switch managed thru aruba central. 

    It works as expected initially. after few hours or for new client authentication on the same port. I am seeing radius authentication error with the following message in clearpass "Failed to decode RADIUS packet - Received packet from <nas-ip> with invalid Message-Authenticator! (Shared secret may be incorrect.). re adding the radius key under the clearpass "devices tab" seems to mitigate the issue. however it re occurs as soon as we connect new client under same port.   

    Switch configs: 

    radius-server host 10.0.0.1 key ciphertext <XXXXX>
    radius-server host 10.0.0.2 key ciphertext <XXX>
    !
    !
    aaa group server radius cluster_1
        server 10.0.0.1
        server 10.0.0.2
    !
    !
    radius dyn-authorization enable

    aaa configs are applied at interface level too

    Has anyone faced this issue ? I have few sites running fine on AOS-S switch so I am leaning towards Aruba CX switch and central configuration.

    Any suggestions ? I am running 10.13.1005 version 



    ------------------------------
    Thanks,
    AK
    ------------------------------


  • 2.  RE: Aruba CX 6200 Radius server configuration

    Posted Apr 11, 2024 07:52 AM

    That message in the event logs (invalid Message-Authenticator) is almost certain that the RADIUS shared secret does not match. If you say 're-adding' the key in the NAD, do you mean that it's gone? I've never seen such a thing. I would check the Audit log to see when/who changes the configuration because once entered, it should stay in there.

    This may be something to further investigate with support, if you can't find out who/what is changing the configuration.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------