D-Link Forums

D-Link Enterprise => DGS-1510-Series => Topic started by: gobris on June 14, 2019, 05:56:57 AM

Title: Radius-802.1X Secondary server problem
Post by: gobris on June 14, 2019, 05:56:57 AM
Hello
I have a dlink 1510-28 with 1.60 firmware which released recently.

I have one bug report  and a missing option on 802.1x which both are very important.
First, missing option.
There is no "radius fail" option on configuration. I mean if radius server fails (might be down or a network problem) you can not set any default vlan to users can go on using network..Cisco users might know that as "authentication event server dead action", and "dot1x critical" commands you can set how to behave incase of a radius server fail (not user fail)..  So if your radius fails, all users will be on guest vlan only....which is not acceptable on most cases...

Second case is a serious bug...
I set two radius servers on my network. and set them on my dlink switch for failsafe operation..
My config is;
radius-server deadtime 1
radius-server host 10.1.3.11 key XXXXXX
radius-server host 10.1.3.10 key XXXXXX

which means deadtime 1 minute.. and I expect switch should try second radius server if first one goes down..

After this configuration, I blocked all tcp/udp traffic between switch and 1st radius server with my firewall.. Tried a few times for authenticaion fail to start deadtime process..

After 5 mins.. on webgui, 1st radius server still in status "UP", and according to stats, switch was only trying first radius server not the second one...
Which causes not able to use backup radius server in any case..

Title: Re: Radius-802.1X Secondary server problem
Post by: agalloway on February 12, 2023, 11:02:12 AM
We are having an issue with Radius usage for both dot1x, and User Authentication.  We have one radius server that handles logging into the switch directly, this performs 2 Factor authentication as given to us by the security team.  The second radius server we want to set up for dot1x.  We are experiencing a problem with whatever type of radius call is used first completely stops the other radius call from taking place.

For example, immediately after a switch reboot, if we try to ssh into the switch first, that call works, but dot1x will fail:

RADIUS: Server Entry is Null or Could not allocate Radius Packet
Link Up: Gi1/0/1

However, if after a switch reboot, we first use dot1x, then ssh authentication will fail:

server Entry is Null or Could not allocate Radius Packet
radiusRequestInfoProcess: Radius server not selected. Request Type: 1 Requestor: 21, USER_MGR
SSH session : Login to the switch is not successful, User ID: <username> Source IP: <ip>

Local port: 22

I have tried changing the order of the radius servers in the configuration and blog post to fix radius server not responding (https://notresponding.us/radius-server-is-not-responding/), removing and re-adding them, and constantly trying different switch firmware.  The only solution is reload to the switch in order to get it to do what is needed at that moment.

aaa authentication login "defaultList" local
aaa authentication login "radius_local" radius local
ip http authentication radius local
ip https authentication radius local
authentication enable
authentication dynamic-vlan enable
dot1x system-auth-control
aaa authentication dot1x default radius
aaa authorization network default radius
radius server auth <server 1>
name "server1"
usage authmgr
key 7 <key>
exit
radius server auth <server 2>
name "server2"
usage login
key 7 <key>
exit
line ssh
login authentication radius_local
exit

Test port:

show running-config interface gi1/0/1

storm-control broadcast action trap
storm-control multicast action trap
spanning-tree portfast
spanning-tree guard root
switchport mode general
authentication host-mode single-host
authentication event fail action authorize vlan 5
authentication event no-response action authorize vlan 5
authentication timer reauthenticate 600
dot1x timeout quiet-period 10
dot1x timeout tx-period 10
authentication order dot1x
authentication priority dot1x
switchport port-security