Setting up RADIUS for management access using IDE as RADIUS server

[atascoman]

Hello,

I am trying to setup a freshly upgraded Avaya network to use RADIUS auth for SSH/Web/console access for all of the switches and routers. They want to use their Identity engines server as the RADIUS server. Avaya says this should work, but it's not for some reason. I configured the radius server and reachability settings on a test switch and created an authenticator entry in IDE for that switch as well. When I try to connect to the switch using my AD credentials I get a password failed, but I do not see any auth attempt on the IDE side. I did setup password fallback so I can still access the switch. Not sure what's missing.

These are the commands I used on the switch side. (not actual passwords )

radius server host 10.10.243.128 timeout 5
radius server host key "sh@reds3cret"
radius server host 10.10.243.129 secondary
radius reachability mode use-radius username "pap" password "test123"
cli password telnet radius
radius-server password failback

 

[atascoman]

I was able to get this to work. Here is the switch side.

eapol enable
radius-server encapsulation ms-chap-v2
radius server host 10.10.10.128 acct-enable timeout 5
radius server host 10.10.10.129 secondary
radius server host 10.10.10.128 used-by eapol
radius server host 10.10.10.128 key Shared@Secret!
radius server host 10.10.10.129 secondary used-by eapol
radius-server password fallback
cli pass tel radius

On the IDE side you have to create a wired access policy and have it check the credentials against AD and if they match the correct group etc the policy needs to return a Outbound Value set to Outbound-Service-Type=6. This will give rwa access to the user. I have tested this with other wired access policies being implemented on the same switch so I am not sure how they would coexist. This customer wanted RADIUS access setup but demanded IDE be used as the RADIUS server.