Freeradius authentication for VSP VOSS Switch

shamsher singh mr.shamshersingh at gmail.com
Sat Mar 4 00:48:57 UTC 2023


As per the Extreme support

https://extremeportal.force.com/ExtrArticleDetail?an=000056602&q=voss%20radius

Resolution

The RADIUS process includes:

RADIUS authentication, which you can use to identify remote users
before you give them access to a central network site.
RADIUS accounting, which enables data collection on the server during
a remote user’s dial-in session with the client.

Radius Server Attributes for ERS Stackables
Radius Standard
Outbound Attribute    Service-Type (6)
Outbound Value        NAS-Prompt (7) for read only or Administrative (6) for rw

Radius Server Attributes for VOSS Platforms, ERS 8800, VSP 9000
Vendor ID 1584 (Nortel/Avaya)
Outbound Attribute    Access-Priority (192)
Outbound Value        RWA (6)
            RW (5)
            l3 (4)
            l2 (3)
            l1 (2)
            ro (1)
            none (0)

eg : "Free Radius" Script :
VENDOR Nortel 1584
BEGIN-VENDOR Nortel
ATTRIBUTE Access-Priority 192 integer
VALUE Access-Priority none 0
VALUE Access-Priority ro 1
VALUE Access-Priority l1 2
VALUE Access-Priority l2 3
VALUE Access-Priority l3 4
VALUE Access-Priority rw 5
VALUE Access-Priority rwa 6
#CLI Commands
ATTRIBUTE Cli-Commands 193 string
#CLI profile
ATTRIBUTE Command-Access 194 integer
VALUE Command-Access False 0
VALUE Command-Access True 1
#CLI Commands
ATTRIBUTE Commands 195 string
#802 priority (value: 0-7)
ATTRIBUTE EAP-Port-Priority 1 integer
END-VENDOR Nortel

I am not sure what else to configure on the switch or on the Freeradius.

On Fri, Mar 3, 2023 at 2:20 AM marki <jm+freeradiususer at roth.lu> wrote:
>
> This is a problem with the switch/NAS, not with freeradius.
>
> On March 3, 2023 1:07:27 AM GMT+01:00, shamsher singh <mr.shamshersingh at gmail.com> wrote:
> >Hello List,
> >
> >I have been trying to authenticate using radius with Extreme VSP
> >switch, the radius seems to accept the authentication, but the switch
> >still fails
> >
> >
> >Listening on authentication address * port 1812
> >
> >Listening on accounting address * port 1813
> >
> >Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
> >
> >Listening on proxy address * port 1814
> >
> >Ready to process requests.
> >
> >rad_recv: Access-Request packet from host 131.232.33.8 port 44016,
> >id=243, length=68
> >
> >User-Name = "test"
> >
> >User-Password = "test"
> >
> >NAS-IP-Address = 131.232.33.8
> >
> >NAS-Port = 1
> >
> >NAS-Port-Type = Async
> >
> >Service-Type = Administrative-User
> >
> ># Executing section authorize from file /etc/freeradius/sites-enabled/default
> >
> >+group authorize {
> >
> >++[preprocess] = ok
> >
> >++[chap] = noop
> >
> >++[mschap] = noop
> >
> >++[digest] = noop
> >
> >[suffix] No '@' in User-Name = "test", looking up realm NULL
> >
> >[suffix] No such realm "NULL"
> >
> >++[suffix] = noop
> >
> >[eap] No EAP-Message, not doing EAP
> >
> >++[eap] = noop
> >
> >[files] users: Matched entry test at line 2
> >
> >++[files] = ok
> >
> >++[expiration] = noop
> >
> >++[logintime] = noop
> >
> >++[pap] = updated
> >
> >+} # group authorize = updated
> >
> >Found Auth-Type = PAP
> >
> ># Executing group from file /etc/freeradius/sites-enabled/default
> >
> >+group PAP {
> >
> >[pap] login attempt with password "test"
> >
> >[pap] Using clear text password "test"
> >
> >[pap] User authenticated successfully
> >
> >++[pap] = ok
> >
> >+} # group PAP = ok
> >
> ># Executing section post-auth from file /etc/freeradius/sites-enabled/default
> >
> >+group post-auth {
> >
> >++[exec] = noop
> >
> >+} # group post-auth = noop
> >
> >Sending Access-Accept of id 243 to 131.232.33.8 port 44016
> >
> >Service-Type = Administrative-User
> >
> >Finished request 0.
> >
> >Going to the next request
> >
> >Waking up in 4.9 seconds.
> >
> >Cleaning up request 0 ID 243 with timestamp +73
> >
> >Ready to process requests.
> >
> >-------------
> >
> >ssh test at 131.232.33.8
> >
> >
> >Using security software from Mocana Corporation. Please visit
> >https://www.mocana.com/ for more information
> >
> >
> >Copyright(c) 2010-2022 Extreme Networks.
> >
> >All Rights Reserved.
> >
> >Virtual Services Platform  7200
> >
> >VSP Operating System Software Build 8.8.0.0
> >
> >General Availability Released Software, Fully supported
> >
> >
> >This product is protected by one or more US patents listed at
> >http://www.extremenetworks.com/patents along with their foreign
> >counterparts.
> >
> >
> >EXTREME NETWORKS VOSS COMMAND LINE INTERFACE
> >
> >
> >test at 131.232.33.8's password:
> >
> >Permission denied, please try again.
> >
> >test at 131.232.33.8's password:
> >
> >------
> >
> >1 2023-03-02T17:00:37.225-07:00 LAB7K902 CP1 - 0x000d8602 - 00000000
> >GlobalRouter SSH INFO SSH session closed by server for user test on
> >host 131.232.90.103, session_id = 2
> >
> >1 2023-03-02T17:00:37.225-07:00 LAB7K902 CP1 - 0x000d8602 - 00000000
> >GlobalRouter SSH INFO SSH authentication time expired for user test on
> >host 131.232.90.103, session_id = 2
> >
> >1 2023-03-02T17:00:23.615-07:00 LAB7K902 CP1 - 0x0004060b - 00000000
> >GlobalRouter WEB INFO SSL session with client 131.232.90.103 closed.
> >
> >1 2023-03-02T16:59:40.417-07:00 LAB7K902 CP1 - 0x000d8602 - 00000000
> >GlobalRouter SSH INFO SSH invalid username/password for user test on
> >host 131.232.90.103, session_id = 2
> >
> >1 2023-03-02T16:59:40.417-07:00 LAB7K902 CP1 - 0x000a45fc - 00000000
> >GlobalRouter RADIUS INFO Radius message:
> >
> >1 2023-03-02T16:59:40.417-07:00 LAB7K902 CP1 - 0x000a45c0 - 00000000
> >GlobalRouter RADIUS INFO RADIUS authentication failed on server
> >131.232.33.170
> >
> >1 2023-03-02T16:59:40.417-07:00 LAB7K902 CP1 - 0x000a45fc - 00000000
> >GlobalRouter RADIUS INFO Radius message:
> >
> >Thank you,
> >Shamsher
> >-
> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list