GS2210-48p randomly stops sending Radius requests

Kevin_FT · May 2020

So I've noticed this a few times now. Randomly on some of the 60+ switches I have had them become inaccessible from login (both webpage and SSH). I can usually go into radius and disable the client then proceed to SSH into switch with the local creds. But the only way to get the switch back to talking through Radius is to reboot the entire switch itself.

Logs on switch itself state that it does flip between the 2 radius servers I have configured then a no authentication message.

1 May 20 12:11:31 WA authentication: RADIUS Authentication - change RADIUS server from 1 to 2
2 May 20 12:10:04 NO authentication: SSH authentication failure [username: Name, IP address = 172.xxx.xxx.xxx]
Firmware Version - V4.50(AAHV.2) | 02/27/2018

I haven't tried the latest firmware yet, This switch has also been up for 357 days, but this shouldn't stop the radius server.
Anyone else having experience this issue? Is there a way to just restart the radius service without disrupting the site connected to this switch? The external logging server never actually shows a radius request leaving the switch until after the restart also.

Zyxel小編 Lucious · May 2020

Hi @Kevin_FT

For starters, it's recommended to upgrade to latest 4.50(AAHV.3)C0 which includes the new bugfix.
As for your issue:
1. What is the frequency of the "stop sending" symptom?
2. May I know what RADIUS servers you are using?
3. Could you provide the config (including AAA setting) for us?

Zyxel_Lucious

Kevin_FT · May 2020

1. No direct frequency as I'd have to pour through daily config downloads to find out when that stopped.
2. Microsoft NPS V10.0.17763.1
3.

hostname "GS2210"

time timezone -700

time daylight-saving-time

time daylight-saving-time start-date second sunday march 2

time daylight-saving-time end-date first sunday november 2

timesync server 172.xx.xx.xx

timesync ntp

snmp-server version v3v2c

snmp-server get-community XXXXXXXX

snmp-server set-community XXXXXXXX

snmp-server trap-community XXXXXXXX

snmp-server trap-destination 172.xx.xx.xx

snmp-server trap-destination 172.xx.xx.xx enable traps interface linkup linkdown lldp transceiver-ddm storm-control zuld

snmp-server trap-destination 172.xx.xx.xx enable traps switch mactable

service-control http 80 5

remote-management 2

remote-management 3

remote-management 4

remote-management 1 start-addr 172.xx.xx.xx end-addr 172.xx.xx.xx service telnet ftp http icmp snmp ssh https

remote-management 2 start-addr 172.xx.xx.xx end-addr 172.xx.xx.xx service ftp icmp snmp ssh https

remote-management 3 start-addr 172.xx.xx.xx end-addr 172.xx.xx.xx service ftp icmp snmp ssh https

remote-management 4 start-addr 172.xx.xx.xx end-addr 172.xx.xx.xx service ftp icmp snmp ssh https

syslog

syslog type system

syslog type interface

syslog type switch

syslog type aaa

syslog type ip

syslog server 172.xx.xx.xx level 6

aaa accounting system radius broadcast

aaa accounting exec start-stop radius broadcast

aaa accounting dot1x start-stop radius broadcast

aaa accounting commands 0 stop-only tacacs+ broadcast

The one odd piece which leads me to believe that AAA requests are being sent is that SSH will accept the local logins with the radius client enabled, but no AD creds. The webpage will not accept the local creds, or AD creds until I disable the client on the radius server, which will enable the local logins only.

Zyxel小編 Lucious · May 2020

@Kevin_FT

From your config I don't see config about authentication (in AAA setup) and RADIUS server.
Can you give me the complete config by PM?

Zyxel小編 Lucious · May 2020

@Kevin_FT

We've tested locally with 2 RADIUS servers working with GS2210 and seemed working fine when flipping between servers.

Image: https://us.v-cdn.net/6029482/uploads/editor/mz/wx2d6hcx5d8v.jpg

Maybe you should check if any abnormal log in the 2nd RADIUS server?

GS2210-48p randomly stops sending Radius requests

All Replies

Categories

Switch Help Center