Recently, I got a problem with radius authentication of radware.
The detail is:
I used two Radware LinkProof as a VRRP pair. Use the recommend configuration of GUIDE.
But the two appliance are separated in VRRP status. Because the VR interface are all down at that time.
Then I set the radius authentication on both of the boxes.
The problem coming out! The Master LP cannot pass the radius authenticate, but the Backup box has no problem.
I tried to captured in the master box, and I found that when I enter the correct radius account/password, LP send it to radius server and radius server returning a access message. But user cannot pass the authentication. In the console interface and support files, I can find the message "function failed" It is so weird!
At first, I think it's OOM(out of memory), then I tried to restart and upgrade it. But it still doesn't work......
After lots of testing jobs. I found the problem. The problem is, when the VRRP isn't working but the VR status is UP, and simultaneously the interface grouping option is enable. then the radius function will out of work.
So, that the problem why I can pass through the backup box's authenticate, But doesn't work on Master box. Because, backup box's interface grouping is disable in default setting.
After worked out of this problem, Another problem came out.
I want to use dynamic token with radius authentication. It works good at first time. But when I want to login the second time, it failed.
For example, I login Radware via http and dynamic token at first time, then I want to login command interface via ssh or telnet in a relatively short period of time, It will failed
By the capture work and analysis, I found the problem is, when I login successful at the first time, then in the "Radius client life time" option set value period, the second authentication will not be sent to radius server.(I use 3600 second of this option)
So, you may ask, why not lower the life time value?
In this case, the random password of dynamic token will changed every one minutes, so, If I set this value to low, use will need repeatedly authenticate, But if I set this value more than one minute, the another login action will be failed with the correct password in radius server!
This is a contradictory situation.
I have no suggestion of this issue. And I have already seek advise from Radware support engineer, they can do nothing...
So, I don't suggest use dynamic token authentication in Radware.
No comments:
Post a Comment