Radius authentication and local XOS username requirement (test results included within)

Article Id: 167941
Status: Published
Updated On: 13-05-2017 11:02
Legacy Id: TECH244103
Products:
XOS
Issue/Introduction:

Logging into a chassis using a username created on the radius server does not work.
Radius server as defined below with "Fallback Local Auth" set default (permit-all)

CBS# show radius-server

Host Name or Host IP  Authentication Port  Timeout (seconds)  Key     Fallback Local Auth 

10.9.1.158            1812                 3               crossbeam  permit-all


 

Cause:

Radius authentication does not work.
The output from the following command:

tcpdump -neei eth2 host <ip address of radius server> port radius


The tcpdump specifically shows a reject message from the radius server.

Resolution:

  1. Define the same username on both XOS and the Radius server using different passwords in each case. The Radius and XOS usernames must match for successful authentication. Password check will be done via Radius using its database.
  2. Logging using the admin (XOS) account will work because the default is permit-all for fallback-to-local settings.

Workaround

N/A