Hi all,
I am having some difficulty getting RADIUS authentiation working for a couple of stacks of Dell N3048 switches I have.
First, some info about the environment:
- 2 stacks of N3048's (5 switches and 6 switches)
- Windows Network Policy Server, used as the RADIUS server
- Both stacks of switches are linked using a port channel
- Both stacks of switches running OSPF to exchange routes, running VRRP for 1 VLAN
- The RADIUS server is connected to one stack
- Both stacks experience the same issue
- Both stacks are on the latest firmware, 6.2.0.5
- Both stacks have 10 VLAN's setup
The only configuration I put in is this:
aaa authentication login "networkList" local radius
radius-server key hidden
radius-server host auth 192.168.30.240
primary
name "dc1"
As the switches have multiple IP's assigned, I also tried with setting
radius-server source-ip 192.168.39.2
I have left that off for now.
Now for the problem. Once RADIUS has been configured as above, I then try to telnet or SSH to the switch stack. Once I put in my username and password it then times out for the RADIUS request. I verify this by showing the radius statistics on the switch, the timeout counter increases.
Before the first RADIUS authentication attempt, I run a ping to the RADIUS server, and it works:
level12-stack#ping 192.168.30.240 source 192.168.39.2
Pinging 192.168.30.240 with 0 bytes of data:
Reply From 192.168.30.240: icmp_seq = 0. time= 1604 usec.
Reply From 192.168.30.240: icmp_seq = 1. time= 1050 usec.
Reply From 192.168.30.240: icmp_seq = 2. time= 961 usec.
Reply From 192.168.30.240: icmp_seq = 3. time= 1004 usec.
----192.168.30.240 PING statistics----
4 packets transmitted, 4 packets received, 0% packet loss
round-trip (msec) min/avg/max = 0/1/1
After I have tried to authenticate I can no longer ping it, or any other host in the network:
level12-stack#ping 192.168.30.240 source 192.168.39.2
Pinging 192.168.30.240 with 0 bytes of data:
Ping failed.
level12-stack#ping 192.168.31.254
Pinging 192.168.30.240 with 0 bytes of data:
Ping failed.
When I check the log on the switch the following error is logged for each ping request:
<188> Apr 22 10:11:30 level12-stack-1 General[procLOG]: ping_debug.c(627) 3859 %% [VRF-ID:0] Cannot allocate entry - duplicate name and index
I can still ping the switch stack from hosts in the network.
Once I reload the stack master so that the master transfers to another switch, ping starts working again as normal. As soon as I try and authenticate with RADIUS again, the same problem repeats.
I repeated this process while taking a packet capture on the RADIUS server, I see no requests come in at all.
My next step was to ring 100 pings, while the ping was still running I then try to authenticate with my RADIUS login, and it worked. Once the ping was done I tried to login again and it failed, I get the same problem when trying to ping again. I have to then reload the master so I can ping hosts on the network again.
I don't have any VRF's setup, so I am guessing VRF 0 is the default.
Has anyone been able to get RADIUS auth working on these switches without issue? I am not sure what I could be missing. I have opened a support case already for this but am waiting to hear back from that as well.