Radius management authentication on LS6200

Post Reply
User avatar
Q-Ant
Member
Posts: 32
Joined: 12 Mar 2010 09:38

Radius management authentication on LS6200

Post by Q-Ant » 16 Jul 2010 07:58

Does anyone have some advice how to setup radius authenticaton for 6200LS switch?

I use the same server I do for other models but I constantly get rejected? Does someone know wether attributes should be different for 6200LS? Some code snippet?

User avatar
Q-Ant
Member
Posts: 32
Joined: 12 Mar 2010 09:38

Post by Q-Ant » 19 Aug 2010 04:43

Anyone? This should be trivial but I'm stuck :D

Version of the OS is 1.0.2.38

I've setup RADIUS authentication for telnet and http access. When I try to access with correct username and password I get rejected and the following message is printed to the console: "%AAA-W-REJECT: New telnet connection for user PASSWORD, source 1.2.3.4 destination 10.11.12.13 REJECTED"

Please notice that instead of the user the switch shows the password I've entered. This does not happen with nonexisting username/password, then the switch show the username I've used and also rejecets the connection.

The switch is added as client to MS NPS server, and it is communicating with no problems.

This is configuration snippet:
radius-server host 10.10.10.10 auth-port 1812 usage login
radius-server key RADIUSKEY
radius-server source-ip 1.2.3.4
radius-server timeout 15
radius-server deadtime 1
management access-list FULL_ACCESS
permit
exit
management access-class FULL_ACCESS
aaa authentication enable default none
ip http authentication radius local
aaa authentication login default radius

User avatar
Q-Ant
Member
Posts: 32
Joined: 12 Mar 2010 09:38

Post by Q-Ant » 27 Aug 2010 07:17

OK, tried with the newer AOS 1.7.0.13

Tried removing attributes I'm returning for other Alcatel switches. Nothing helps.

Does anyone know what is the VSA attribute I should return the privilige level in for LS6200?

User avatar
cedric1
Member
Posts: 603
Joined: 26 May 2009 18:00
Location: Luxembourg ACSE R6

Post by cedric1 » 02 Sep 2010 05:55

No idea ?
I will ask

Cedric

User avatar
Q-Ant
Member
Posts: 32
Joined: 12 Mar 2010 09:38

Post by Q-Ant » 08 Sep 2010 07:34

I have this issue resolved.

The following should be done in order for Radius auth on LS6200 to work:
- the attribute that must be returned is Cisco-Av-Pair and its value should be "shell:priv-lvl:15" (without quotes, where 15 is the privilege level user will have)
- Service-Type should be "Administrative" (remove all other)
- the client should be "Cisco"

User avatar
cedric1
Member
Posts: 603
Joined: 26 May 2009 18:00
Location: Luxembourg ACSE R6

Post by cedric1 » 08 Sep 2010 15:30

hello

thx

what do yu mean about - the client should be "Cisco"

Cedric

User avatar
Q-Ant
Member
Posts: 32
Joined: 12 Mar 2010 09:38

Post by Q-Ant » 22 Sep 2010 08:09

When choosing the client type in NPS service and choosing the "Vendor name", instead of "RADIUS Standard" you sholud choose "Cisco".

Although it no longer seems to have any influence (I've moved to the dedicated server and both "Cisco" and "RADIUS Standard work)

User avatar
cedric1
Member
Posts: 603
Joined: 26 May 2009 18:00
Location: Luxembourg ACSE R6

Post by cedric1 » 22 Sep 2010 12:04

ok good to know

thx for update

Cedric

Post Reply

Return to “OmniStack LS 6200”