3750 Switch and Radius

Answered Question
Jun 3rd, 2010

Howdy,

We have an OSPF network here with 3750s as the core network switches at points around the ring.  Each of these switches has an IP address that it interfaces to the next point in line, as well as an IP address for management on the switch itself.  We are implementing RADIUS authentication on each of the switches, and herein lies the problem.  When attempting to authenticate a login at the switch via the RADIUS server, the IP address that the server sees is which ever is on the interface of the shortest path (hence OSPF).  So if a link went out in one direction (which does happen on our lovely network), then the RADIUS server would be seeing an attempt to authenticate from a different IP address than what I have entered in the server.  So in order to counter this, I would have to be adding 2 IP addresses per switch to be sure we have a fully redundant authentication server.  However, I was really hoping to use our management IP address for the authentication, no matter which path around our ring it took.

The best way to give you a better picture of what is happening here is to give you some IP addresses and such of what is actually in production right now.  The IP of the switch I am currently working on is 10.7.99.1(our management IP) and the RADIUS server IP is 10.0.99.43.  When I try to authenticate, the attempt is seen by the server as IP 10.6.100.2.  The second IP address that I would have to enter for this switch (in the event that one leg of the ring breaks) is 10.7.100.1.  These 2 addresses are set to VLANs 909 and 910 respectively.  2 of the Gig ports on this switch (one in each direction) are assigned to each of these VLANs.  Our management IP is assigned to VLAN 99 and is assigned to a few various FastEthernet ports that have network monitoring equipment attached to them.

This is about as much of a description as I can provide right now.  Please feel free to ask me any questions needed.  I will post part of our running-config on this switch to help be a guide.

interface  FastEthernet1/0/10

description  Radio-Management-10.7.99.10

switchport access vlan  99

spanning-tree portfast

!

interface GigabitEthernet1/1/1                                                                                                                                                     
description Backhaul-10.7.100.10                                                                                                                                                  
switchport trunk allowed vlan 501-517,909                                                                                                                                         
switchport mode trunk                                                                                                                                                             
speed auto 1000                                                                                                                                                                   
srr-queue bandwidth share 10 10 60 20                                                                                                                                             
queue-set 2                                                                                                                                                                       
mls qos trust dscp                                                                                                                                                                
auto qos voip trust

!                                                                                                                                                                                  
interface GigabitEthernet1/1/2                                                                                                                                                     
description Backhaul-10.6.100.20                                                                                                                                                  
switchport trunk allowed vlan 501-517,910                                                                                                                                         
switchport mode trunk                                                                                                                                                             
speed auto 1000                                                                                                                                                                   
srr-queue bandwidth share 10 10 60 20                                                                                                                                             
queue-set 2                                                                                                                                                                       
mls qos trust dscp                                                                                                                                                                
auto qos voip trust                                                                                                                                                               
!                                                                                                                                                                                  
interface Vlan1                                                                                                                                                                    
no ip address                                                                                                                                                                     
!                                                                                                                                                                                  
interface Vlan99                                                                                                                                                                   
description sgrita_management_vlan99                                                                                                                                              
ip address 10.7.99.1 255.255.255.0

!                                                                                                                                                                                  
interface Vlan200                                                                                                                                                                  
description LOCAL_DHCP_ACCESS                                                                                                                                                     
ip address 10.7.200.1 255.255.255.0                                                                                                                                               
!                                                                                                                                                                                 

interface Vlan207                                                                                                                                                                  
description AGTECH_DHCP_POOL                                                                                                                                                      
no ip address                                                                                                                                                                     
!                                                                                                                                                                                  
interface Vlan909                                                                                                                                                                  
ip address 10.7.100.1 255.255.255.0                                                                                                                                               
ip ospf dead-interval minimal hello-multiplier 3                                                                                                                                  
!                                                                                                                                                                                  
interface Vlan910                                                                                                                                                                  
ip address 10.6.100.2 255.255.255.0                                                                                                                                               
ip ospf dead-interval minimal hello-multiplier 3

I have this problem too.
0 votes
Correct Answer by Chetan Kumar Ress about 6 years 7 months ago

Hi Thomas

You want that if any link goes down then also you should able to work with management ip address or with single ip address.

In radius server you can add management ip address & in switch you can add command "ip radius source-interface"

So whenever the switch send request to radius server it will use only management ip address.

Regards

Chetan kumar

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Chetan Kumar Ress Thu, 06/03/2010 - 12:29

Hi Thomas

You want that if any link goes down then also you should able to work with management ip address or with single ip address.

In radius server you can add management ip address & in switch you can add command "ip radius source-interface"

So whenever the switch send request to radius server it will use only management ip address.

Regards

Chetan kumar

the1337bofh Thu, 06/03/2010 - 12:43

Thank you, Chetan.  I knew it was there and I couldn't think of it for anything at all.  I had so many other things to be working on today with so many storms in the area and project development prime right now.  I was trying to add a static route on VLAN 99 with obvious failure, etc.  I couldn't ever get it out correctly.  However ip radius source-interface vlan 99 worked like a charm and the RADIUS server sees the authentication attempt from 10.7.99.1 no matter which path it takes around the ring.  Thank you again! 

Thomas

Actions

This Discussion