Wireless Access

Reply
Highlighted
Occasional Contributor II

Unable to reach the external Radius server for management authentication

Hello all,

 

I have deployed standalone VMC in  cloud . I am trying to setup management authentication with external radius server 

 

May 20 10:09:33 authmgr[3869]: <121010> <3869> <ERRS> |authmgr| |aaa| Error 101,Network is unreachable sending 146 bytes on radius socket 63
May 20 10:09:43 authmgr[3869]: <121010> <3869> <ERRS> |authmgr| |aaa| Error 101,Network is unreachable sending 142 bytes on radius socket 63
May 20 11:54:55 authmgr[3869]: <121010> <3869> <ERRS> |authmgr| |aaa| Error 101,Network is unreachable sending 141 bytes on radius socket 63

May 20 11:54:55 authmgr[3869]: <121010> <3869> <ERRS> |authmgr| |aaa| Error 101,Network is unreachable sending 141 bytes on radius socket 63
May 20 11:56:19 authmgr[3869]: <121010> <3869> <ERRS> |authmgr| |aaa| Error 101,Network is unreachable sending 141 bytes on radius socket 63
May 20 11:57:45 authmgr[3869]: <121010> <3869> <ERRS> |authmgr| |aaa| Error 101,Network is unreachable sending 141 bytes on radius socket 63
May 20 11:59:07 authmgr[3869]: <121010> <3869> <ERRS> |authmgr| |aaa| Error 101,Network is unreachable sending 142 bytes on radius socket 63

 I keep seeing this message over and over in the error.log.

 

I suspect , the radius server is unreachable from the VMC, I have the default route to the cloud gateway. SSH and WebGUI works fine on the public IP.

 

(Batman) [mynode] #show ip route

Codes: C - connected, O - OSPF, R - RIP, S - static
M - mgmt, U - route usable, * - candidate default, V - RAPNG VPN/Branch

Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10
C 10.1.96.0/24 is directly connected, VLAN1
M X.246.X.0/23 is directly connected to mgmt interface

Management Gateway of last resort is 207.246.120.1 to network 0.0.0.0
M* 0.0.0.0/0 via X.246.X.1*

 

Note: My management IP has the public address .

Is there a difference between 

#ip default-gateway mgmt <next hop>

and  #ip default-gateway <next hop> cost ?.

 

This is my radius config

sidlegend_0-1590036193025.png

sidlegend_1-1590036245841.pngsidlegend_2-1590036323975.png

Is there anyway to check for specified destination IP what will be exit interface ?. 

What am I missing here?.


Accepted Solutions
Highlighted
MVP Guru

Re: Unable to reach the external Radius server for management authentication

Firstly check to see if the connectivity (so IP, ports, shared secret etc) is correct. Use the command to generate some fake credentials and an authentication request. It will tell you if the authentication fails or it times out.

 

aaa test-server [pap/mschapv2][auth server name][username][password] verbose

e.g 

(Aruba7030) *[mynode] #aaa test-server mschapv2 RADIUS01 username password verbose

 

At the moment it looks like, based on your configuration that you do not have a route to the auth server.

 

What is the IP address of your RADIUS server and what should be doing the routing? 


ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)

View solution in original post

Highlighted
Aruba Employee

Re: Unable to reach the external Radius server for management authentication

Hi,

 

Your controller ip is vlan 1 with IP 10.1.96.1 so traffic will be initiated with this IP.

 

Did you do a write mem after doing the changes?

What is the output of show running or show configuration effective?

 

Batman) [mynode] #show ip interface brief

Interface IP Address / IP Netmask Admin Protocol VRRP-IP
vlan 1 10.1.96.1 / 255.255.255.0 up up
loopback unassigned / unassigned up up
mgmt 207.246.120.96 / 255.255.254.0 up up

 

On a side note, make sure you add a restrictive ACL to block access from the internet. You don't want your switch to have a public IP and be reachable from outside..

View solution in original post


All Replies
Highlighted
MVP Guru

Re: Unable to reach the external Radius server for management authentication

Firstly check to see if the connectivity (so IP, ports, shared secret etc) is correct. Use the command to generate some fake credentials and an authentication request. It will tell you if the authentication fails or it times out.

 

aaa test-server [pap/mschapv2][auth server name][username][password] verbose

e.g 

(Aruba7030) *[mynode] #aaa test-server mschapv2 RADIUS01 username password verbose

 

At the moment it looks like, based on your configuration that you do not have a route to the auth server.

 

What is the IP address of your RADIUS server and what should be doing the routing? 


ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)

View solution in original post

Highlighted
Occasional Contributor II

Re: Unable to reach the external Radius server for management authentication

Hello Criag,

 

Interface Mgmt has the public IP address in the same subnet as the cloud internet gateway . I have default route to the cloud internet gateway(207.246.120.1) . So if i try to reach the radius server(public IP) on the internet, should it not take the default route?. Is that only for management ?.

 

(Batman) [mynode] #show ip route

Codes: C - connected, O - OSPF, R - RIP, S - static
M - mgmt, U - route usable, * - candidate default, V - RAPNG VPN/Branch

Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10
C 10.1.96.0/24 is directly connected, VLAN1
M 207.246.120.0/23 is directly connected to mgmt interface

Management Gateway of last resort is 207.246.120.1 to network 0.0.0.0
M* 0.0.0.0/0 via 207.246.120.1*

 

(Batman) [mynode] #show configuration

hostname "Batman"

vlan 1
interface vlan 1
ip address 207.246.120.96 255.255.254.0
!

interface mgmt
shutdown
!
interface gigabitethernet 0/0/0
no shutdown
no spanning-tree
trusted vlan 1-4094
trusted
description "GE0/0/0"
!
interface gigabitethernet 0/0/1
shutdown
no spanning-tree
trusted vlan 1-4094
trusted
description "GE0/0/1"
!
interface gigabitethernet 0/0/2
shutdown
no spanning-tree
trusted vlan 1-4094
trusted
description "GE0/0/2"
!
interface port-channel 0
trusted
trusted vlan 1-4094
!
interface port-channel 1
trusted
trusted vlan 1-4094
!
interface port-channel 2
trusted
trusted vlan 1-4094
!
interface port-channel 3
trusted
trusted vlan 1-4094
!
interface port-channel 4
trusted
trusted vlan 1-4094
!
interface port-channel 5
trusted
trusted vlan 1-4094
!
interface port-channel 6
trusted
trusted vlan 1-4094
!
interface port-channel 7
trusted
trusted vlan 1-4094
!
controller-ip vlan 1
ip default-gateway 207.246.120.1

clock timezone PST -8 0

mgmt-user admin root ffd5e29101c29090f6135e3fb609c9fdc4d2256d95a851bd12

end

 

The management interfaces shows shutdown  ,but I see it up and running 

 

(Batman) [mynode] #show ip interface brief

Interface IP Address / IP Netmask Admin Protocol VRRP-IP
vlan 1 10.1.96.1 / 255.255.255.0 up up
loopback unassigned / unassigned up up
mgmt 207.246.120.96 / 255.255.254.0 up up

 

(Batman) [mynode] #show interface vlan 1

VLAN1 is up line protocol is up
Hardware is CPU Interface, Interface address is 5A:00:02:C5:A9:21 (bia 5A:00:02:C5:A9:21)
Description: 802.1Q VLAN
Internet address is 10.1.96.1 255.255.255.0
IPv6 Router Advertisements are disabled
Routing interface is enable, Forwarding mode is enable
Directed broadcast is disabled, BCMC Optimization disabled ProxyARP disabled Suppress ARP enable
Encapsulation 802, loopback not set
MTU 1500 bytes
Last clearing of "show interface" counters 0 day 6 hr 33 min 14 sec
link status last changed 0 day 6 hr 29 min 10 sec
Proxy Arp is disabled for the Interface
(Batman) [mynode] #show in
interface Interface Status and Configuration
inventory Show hardware inventory

(Batman) [mynode] #show interface mgmt

mgmt is up line protocol is up
Hardware is Ethernet, address is 56:00:02:C5:A9:21
Internet address is 207.246.120.96 255.255.254.0

 

I don't see details on how it fails, even though says it authentication failed   

 

(Batman) [mynode] #aaa test-server pap pfsense batman1 vpn123 verbose

Authentication failed.

 

Further , I setup pfsense as my external radius server , in the packet captures , I dont even see the radius access request from the controller's public IP.The controller should route the packets to default gateway of the cloud and thus make this work .It seems it acts as a management gateway rather than a default gateway for all the traffic in the controller.

Highlighted
Aruba Employee

Re: Unable to reach the external Radius server for management authentication

Hi,

 

Your controller ip is vlan 1 with IP 10.1.96.1 so traffic will be initiated with this IP.

 

Did you do a write mem after doing the changes?

What is the output of show running or show configuration effective?

 

Batman) [mynode] #show ip interface brief

Interface IP Address / IP Netmask Admin Protocol VRRP-IP
vlan 1 10.1.96.1 / 255.255.255.0 up up
loopback unassigned / unassigned up up
mgmt 207.246.120.96 / 255.255.254.0 up up

 

On a side note, make sure you add a restrictive ACL to block access from the internet. You don't want your switch to have a public IP and be reachable from outside..

View solution in original post

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: