Switching

Expand all | Collapse all

EX Series - Authentication issue with Radius server - IP address radius source

Jump to Best Answer
  • 1.  EX Series - Authentication issue with Radius server - IP address radius source

    Posted 09-25-2014 14:30

    Hi everyone,

     

     

    Currently I have the following configuration on my switch. 

     

    EX4500> show configuration system radius-server
    1.2.3.4 {
    port 1645;
    secret "XXXX???????XXXXXXXXX???????"; ## SECRET-DATA
    timeout 10;
    retry 3;
    source-address 10.10.10.10;
    }

     

    EX4500> show configuration interfaces vlan.4
    family inet {
    address 10.10.10.10/27;
    }

     

    With only the previous configuration I can get access to my switch. On my radius server the request is received with the IP address 0.10.10.10.  Later, I had to configured other vlan interface with other IP address:

     

    EX4500> show configuration interfaces vlan.316
    family inet {
    address 10.10.33.19/29;
    }

     

    After the previous configuration I can't get access to my switch. When I check the logs on the radius server and I'm seeing the request is received with last IP address configured on the vlan 316 (10.10.33.19). This mean that the request is being generated with the last IP configured. I tried configuring more vlans interfaces.... the result was the same, the IP origin request is changing after the new interface vlan is configured on the switch

     

    With this issue I can't configure interface vlan (layer three interface) in order troubleshooting purposes because this affect my access trought Radius.

     

    Somebody know how can I solve this definitely? Is this a bug? Do I need an additional configuration?

     

    Thanks in advance.

     

     

     



  • 2.  RE: EX Series - Authentication issue with Radius server - IP address radius source

    Posted 09-27-2014 04:55

    Are you sure that the 10.10.10.10 ip-address is "up up" on the switch?  If it is a VLAN interface, there needs to be an active port in the associated vlan for the interface to be marked as up.



  • 3.  RE: EX Series - Authentication issue with Radius server - IP address radius source

    Posted 09-30-2014 13:34

    Hi Ronf,

     

    Thanks for your reply!

     

    Yes! I'm sure that the IP address is up/up an associated to physical interface.



  • 4.  RE: EX Series - Authentication issue with Radius server - IP address radius source

     
    Posted 09-30-2014 03:56

    Also confirm that you don't have:

     

    set system default-address-selection 

     

    configured, as this will source all control traffic from the loopback address, or whichever IP is deemed to be the system IP (usually the lowest).



  • 5.  RE: EX Series - Authentication issue with Radius server - IP address radius source

    Posted 09-30-2014 13:40

    Hi dfex,

     

     

    Thanks for your reply. I don't have configured the command 'set system default-address-selection'.

     



  • 6.  RE: EX Series - Authentication issue with Radius server - IP address radius source
    Best Answer

    Posted 08-18-2016 13:59

    After many attempts finally we found the solution. The EX switch uses the last IP address configured (vlan l3 or mgmt interfaces) as IP NAS origin. If you validate this attribute (the origin ip address) in your radius server, you must set this command  in the EX switches in order to ensure the request is originated from IP address that you want.

     

    set system radius-options attributes nas-ip-address [mgmt IP address]

     

    For the first example the command is:

     

    set system radius-options attributes nas-ip-address 10.10.10.10

     

     



  • 7.  RE: EX Series - Authentication issue with Radius server - IP address radius source

    Posted 12-12-2018 11:16

    set system radius-options attributes nas-ip-address [mgmt IP address]

     

    if i do this it uses the correct port but i get an arro that i cannot login, our RAD server respone with an execpt 

     

     



  • 8.  RE: EX Series - Authentication issue with Radius server - IP address radius source

    Posted 12-12-2018 14:12

    apperantly my account was locked in the juniper box........... odd