Hello Criag,
Interface Mgmt has the public IP address in the same subnet as the cloud internet gateway . I have default route to the cloud internet gateway(207.246.120.1) . So if i try to reach the radius server(public IP) on the internet, should it not take the default route?. Is that only for management ?.
(Batman) [mynode] #show ip route
Codes: C - connected, O - OSPF, R - RIP, S - static
M - mgmt, U - route usable, * - candidate default, V - RAPNG VPN/Branch
Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10
C 10.1.96.0/24 is directly connected, VLAN1
M 207.246.120.0/23 is directly connected to mgmt interface
Management Gateway of last resort is 207.246.120.1 to network 0.0.0.0
M* 0.0.0.0/0 via 207.246.120.1*
(Batman) [mynode] #show configuration
hostname "Batman"
vlan 1
interface vlan 1
ip address 207.246.120.96 255.255.254.0
!
interface mgmt
shutdown
!
interface gigabitethernet 0/0/0
no shutdown
no spanning-tree
trusted vlan 1-4094
trusted
description "GE0/0/0"
!
interface gigabitethernet 0/0/1
shutdown
no spanning-tree
trusted vlan 1-4094
trusted
description "GE0/0/1"
!
interface gigabitethernet 0/0/2
shutdown
no spanning-tree
trusted vlan 1-4094
trusted
description "GE0/0/2"
!
interface port-channel 0
trusted
trusted vlan 1-4094
!
interface port-channel 1
trusted
trusted vlan 1-4094
!
interface port-channel 2
trusted
trusted vlan 1-4094
!
interface port-channel 3
trusted
trusted vlan 1-4094
!
interface port-channel 4
trusted
trusted vlan 1-4094
!
interface port-channel 5
trusted
trusted vlan 1-4094
!
interface port-channel 6
trusted
trusted vlan 1-4094
!
interface port-channel 7
trusted
trusted vlan 1-4094
!
controller-ip vlan 1
ip default-gateway 207.246.120.1
clock timezone PST -8 0
mgmt-user admin root ffd5e29101c29090f6135e3fb609c9fdc4d2256d95a851bd12
end
The management interfaces shows shutdown ,but I see it up and running
(Batman) [mynode] #show ip interface brief
Interface IP Address / IP Netmask Admin Protocol VRRP-IP
vlan 1 10.1.96.1 / 255.255.255.0 up up
loopback unassigned / unassigned up up
mgmt 207.246.120.96 / 255.255.254.0 up up
(Batman) [mynode] #show interface vlan 1
VLAN1 is up line protocol is up
Hardware is CPU Interface, Interface address is 5A:00:02:C5:A9:21 (bia 5A:00:02:C5:A9:21)
Description: 802.1Q VLAN
Internet address is 10.1.96.1 255.255.255.0
IPv6 Router Advertisements are disabled
Routing interface is enable, Forwarding mode is enable
Directed broadcast is disabled, BCMC Optimization disabled ProxyARP disabled Suppress ARP enable
Encapsulation 802, loopback not set
MTU 1500 bytes
Last clearing of "show interface" counters 0 day 6 hr 33 min 14 sec
link status last changed 0 day 6 hr 29 min 10 sec
Proxy Arp is disabled for the Interface
(Batman) [mynode] #show in
interface Interface Status and Configuration
inventory Show hardware inventory
(Batman) [mynode] #show interface mgmt
mgmt is up line protocol is up
Hardware is Ethernet, address is 56:00:02:C5:A9:21
Internet address is 207.246.120.96 255.255.254.0
I don't see details on how it fails, even though says it authentication failed
(Batman) [mynode] #aaa test-server pap pfsense batman1 vpn123 verbose
Authentication failed.
Further , I setup pfsense as my external radius server , in the packet captures , I dont even see the radius access request from the controller's public IP.The controller should route the packets to default gateway of the cloud and thus make this work .It seems it acts as a management gateway rather than a default gateway for all the traffic in the controller.