OS6900 RADIUS authentication with Microsoft NPS

dariopalermo · April 23, 2023, 2:50pm

Hi all,

I'm trying to configure RADIUS authentication on a OS6900-X48C6 (I'm on 8.8.56.R02) for management purposes.

I'm using Microsoft NPS a server.

On the switch I've got this config:

aaa radius-server “RADIUS” host 192.168.5.203 192.168.5.204 hash-key “0479F41346BE61EB2D202E816A1C0009F513E49AEAEA6AD106D2F386B4169FF1” hash-salt “690DEEF5D3E30C769287566FB6B707DB927EDF22F27AF445824BD96C2CD25E19” retransmit 3 timeout 2 auth-port 1812 acct-port 1813 vrf-name default

aaa authentication http “RADIUS” “local”

NPS is configured and I can see the succesful login attempts (event id 6272 "Network Policy Server granted access to a user.") but the switch is giving me an error:

Authentication failure : Server configuration error, contact your administrator

I tried bot with this radius attribute and without it:

Vendor Code : 800 Vendor-assigned attribute number : 20 <Alcatel-Nms-Group> Attribute format : String Attribute value : Administrators

Any suggestion? Thanks.

Dario Palermo

dariopalermo · April 23, 2023, 3:01pm

Ok I just found the additional info I was missing. I had to configure all these custom, vendor specific attributes (vendor code 800):

41 - ffffffff (hexadecimal) 42 - ffffffff (hexadecimal) 9 - all (string) 20 - Administrators (string)

bye,

Dario Palermo

dariopalermo · April 23, 2023, 3:53pm

Sorry, still some issues left: I can now authenticate but I'm not seeing the whole set of commands (I'm missing, for example, Configuration under DEVICE MGMT).

I also added attributes 39 and 40 with FFFFFFFF but nothing changed... I'm flying blind as I couldn't find any kind of documentation about RADIUS attributes...

Dario Palermo

BennyD · April 5, 2024, 8:34am

There was a change in AuthenticatedSwitchAccess (ASA) that more attributes are now needed:

So very likely you would need all attributes from 39 to 46 to get full access privileges.