On Feb 25, 2015, at 7:39 PM, jan hugo prins <jhp@jhprins.org> wrote:
But I also need to accommodate telephones and printers and they don't do EAP themselves. To work around this, the switches we use have an option to configure the switch in such a way that it creates a radius access request based on the MAC address of the client, it's own IP address and the port the client is connected to.
That’s a stupid idea. But I’m not surprised. Vendors are often bad at RADIUS.
This sounds like a simple setup, just add some users with plaintext passwords and start the authentication process. But the problem is that this fails, and it looks like the switch is sending 2 exactly the same authentication requests short after another, and the first one succeeds, but the second one fails.
No. The User-Names are different. Reading the debug log carefully is important. Also, you should fix your LDAP infrastructure. The server is getting redirected to 3-4 different LDAP servers. That’s slow and inefficient.
I also see this when I ping the host, I receive one reply and after that the port is closed again.
Could someone tell me if I have something wrong in my config?
You need to add the second User-Name to the users file. The first one ends with “20”. The second with “22”. Alan DeKok.