06-03-2010 11:57 AM - edited 03-06-2019 11:24 AM
Howdy,
We have an OSPF network here with 3750s as the core network switches at points around the ring. Each of these switches has an IP address that it interfaces to the next point in line, as well as an IP address for management on the switch itself. We are implementing RADIUS authentication on each of the switches, and herein lies the problem. When attempting to authenticate a login at the switch via the RADIUS server, the IP address that the server sees is which ever is on the interface of the shortest path (hence OSPF). So if a link went out in one direction (which does happen on our lovely network), then the RADIUS server would be seeing an attempt to authenticate from a different IP address than what I have entered in the server. So in order to counter this, I would have to be adding 2 IP addresses per switch to be sure we have a fully redundant authentication server. However, I was really hoping to use our management IP address for the authentication, no matter which path around our ring it took.
The best way to give you a better picture of what is happening here is to give you some IP addresses and such of what is actually in production right now. The IP of the switch I am currently working on is 10.7.99.1(our management IP) and the RADIUS server IP is 10.0.99.43. When I try to authenticate, the attempt is seen by the server as IP 10.6.100.2. The second IP address that I would have to enter for this switch (in the event that one leg of the ring breaks) is 10.7.100.1. These 2 addresses are set to VLANs 909 and 910 respectively. 2 of the Gig ports on this switch (one in each direction) are assigned to each of these VLANs. Our management IP is assigned to VLAN 99 and is assigned to a few various FastEthernet ports that have network monitoring equipment attached to them.
This is about as much of a description as I can provide right now. Please feel free to ask me any questions needed. I will post part of our running-config on this switch to help be a guide.
interface FastEthernet1/0/10
description Radio-Management-10.7.99.10
switchport access vlan 99
spanning-tree portfast
!
interface GigabitEthernet1/1/1
description Backhaul-10.7.100.10
switchport trunk allowed vlan 501-517,909
switchport mode trunk
speed auto 1000
srr-queue bandwidth share 10 10 60 20
queue-set 2
mls qos trust dscp
auto qos voip trust
!
interface GigabitEthernet1/1/2
description Backhaul-10.6.100.20
switchport trunk allowed vlan 501-517,910
switchport mode trunk
speed auto 1000
srr-queue bandwidth share 10 10 60 20
queue-set 2
mls qos trust dscp
auto qos voip trust
!
interface Vlan1
no ip address
!
interface Vlan99
description sgrita_management_vlan99
ip address 10.7.99.1 255.255.255.0
!
interface Vlan200
description LOCAL_DHCP_ACCESS
ip address 10.7.200.1 255.255.255.0
!
interface Vlan207
description AGTECH_DHCP_POOL
no ip address
!
interface Vlan909
ip address 10.7.100.1 255.255.255.0
ip ospf dead-interval minimal hello-multiplier 3
!
interface Vlan910
ip address 10.6.100.2 255.255.255.0
ip ospf dead-interval minimal hello-multiplier 3
Solved! Go to Solution.
06-03-2010 12:29 PM
Hi Thomas
You want that if any link goes down then also you should able to work with management ip address or with single ip address.
In radius server you can add management ip address & in switch you can add command "ip radius source-interface"
So whenever the switch send request to radius server it will use only management ip address.
Regards
Chetan kumar
06-03-2010 12:29 PM
Hi Thomas
You want that if any link goes down then also you should able to work with management ip address or with single ip address.
In radius server you can add management ip address & in switch you can add command "ip radius source-interface"
So whenever the switch send request to radius server it will use only management ip address.
Regards
Chetan kumar
06-03-2010 12:43 PM
Thank you, Chetan. I knew it was there and I couldn't think of it for anything at all. I had so many other things to be working on today with so many storms in the area and project development prime right now. I was trying to add a static route on VLAN 99 with obvious failure, etc. I couldn't ever get it out correctly. However ip radius source-interface vlan 99 worked like a charm and the RADIUS server sees the authentication attempt from 10.7.99.1 no matter which path it takes around the ring. Thank you again!
Thomas
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide