11-04-2011 09:38 AM
the comman you have provided don't work on my switch, 5100 FOS 6.4.0b
aaaconfig --authspec "RADIUS;local" -backup -- is that correct?
I attach a zip file with the screenshots.
NPS is Network Policy Server where I can configure RADIUS as in IAS but this is new to me too.
11-04-2011 10:45 AM
I saw an error on your switch configuration. you paste the charcter in in the aaaconfig command authspec. You need qutoes and not the HTML tag for quotes.
In the first step remove the password policy from your RADIUS config.
Just to sort the errors out.
Change CHAP to PAP protocol. Your logfile show following:
Reason The user could not be authenticated using Challenge Handshake Authentication Protocol (CHAP). A reversibly encrypted password does not exist for this user account. To ensure that reversibly encrypted passwords are enabled, check either the domain password policy or the password settings on the user account.
This means you have currently not set up the Winodws AD parameter correctly which allows reversibly encrypt the password which is needed to use CHAP. Some AD guys or sercurity admins will not allow this change.
This topic is written in the Brocade documentation.
The only way out is to use PAP with all pros and cons or to switch to LDAP/AD which also needs some extension to AD which is sometimes difficult to get from the AD guys as well.
I hope this helps,
11-07-2011 06:57 AM
have tested with various configurations again but error still occurs.
The switch now have two AAA Services - RADIUS and Switch database backup - as I wont (configured with diabled ethernet connection - normal behavior?).
The NPS RADIUS Connection Request Policy, I like to configure, seems to be problematic. Currently I have a local Server2008 only, without AD.
I used your IAS example and also configured as it is in the Admin Guide for Windows, but so far no success.
Error: ReasonCode 49
Reason The RADIUS request did not match any configured connection request policy (CRP).
The CRP is the only policy I have configured currently.
11-07-2011 09:55 AM
now you have a different error message.
Your first error was because the password can not be encoded by windows due to the fact that you have use CHAP and not set the registry.
Now I assume that you use PAP on the Brocade SAN switch as protocol.
In this case you have now a new or additional configuration issue.
Your Connection Request Policy is wrong.
The client does not match to your configuration.
Please provide me some more details of the RADIUS client configuration and Connection Request Policy.
Pictures are helpful.
11-08-2011 12:49 AM
correct syntax is:
aaaconfig --add SERVER_IP_ADDRESS, where is the RADIUS Server
aaaconfig --show, list RADIUS settings
all that requiered a correct configure RADIUS Server, Port, Secret Password, Vendor Attributes, and Auth-Protocol should be set as CHAP.
PAP is supported but not suggested.
NOTE. Is the Server have more as One Ethernet Adapter, make sure the RADIUS is Pointed to Definied IP Address.
11-08-2011 12:55 AM
Gunter had problems with his server because the Windows registry is not setup correctly to support CHAP!
So it would be good in the first step to get RAIUS up and running with PAP and in the second step to switch to CHAP when he had managed to setup the RADIUS config up and running on the Windows box.