After an update to 8.8.152.R01 I am having an error when running a command from my RADIUS user login

David1025 · March 18, 2022, 3:40pm

Recently I have upgraded my microcode from 8.7.252.R02 to 8.8.152.R01. We use a RADIUS server for authentication into the switches and before the upgrade I could run every command I needed to. Now after the upgrade when I try to run the command "show lanpower slot 1/1" or "lanpower slot 1/1 service stop/start" I receive the error of ERROR: Authorization failed. No functional privileges for this command. Our accounts are supposed to have administrative privileges and we have not changed anything other than the microcode. I tested it on a switch with the 8.7 code and it works fine still but not the 8.8. This is the only command I have run so far that gives me this error. Below I have pasted the output of the show aaa priv hexa command which I compared to the other switches on the old microcode and they are the exact same config.

These are the read-write families

Read-Write families = file ssh scp-sftp telnet ntp dshell debug system aip snmp rmon webmgt config chassis module interface pmm port-mapping health ip rip ospf bgp vrrp ip-routing ipmr ipms vlan bridge stp 802.1Q linkaggregation ip-dhcp fips qos loadbalancing session ipsec da-unp aaa ripng ospfv3 isis netsec tftp vrf bfd-std licensing ha-vlan mcm capability vfc avlan grm spb-isis evb appfp

show aaa priv hexa file = 0x00000001 0x00000000 0x00000000 0x00000000, ssh = 0x00000002 0x00000000 0x00000000 0x00000000, scp = 0x00000004 0x00000000 0x00000000 0x00000000, telnet = 0x00000008 0x00000000 0x00000000 0x00000000, ntp = 0x00000010 0x00000000 0x00000000 0x00000000, dshell = 0x00000020 0x00000000 0x00000000 0x00000000, debug = 0x00000040 0x00000000 0x00000000 0x00000000, system = 0x00000080 0x00000000 0x00000000 0x00000000, lldp = 0x00000100 0x00000000 0x00000000 0x00000000, snmp = 0x00000200 0x00000000 0x00000000 0x00000000, rmon = 0x00000400 0x00000000 0x00000000 0x00000000, webmgt = 0x00000800 0x00000000 0x00000000 0x00000000, config = 0x00001000 0x00000000 0x00000000 0x00000000, chassis = 0x00002000 0x00000000 0x00000000 0x00000000, module = 0x00004000 0x00000000 0x00000000 0x00000000, interface = 0x00008000 0x00000000 0x00000000 0x00000000, pmm = 0x00010000 0x00000000 0x00000000 0x00000000, port-mapping = 0x00020000 0x00000000 0x00000000 0x00000000, health = 0x00040000 0x00000000 0x00000000 0x00000000, ip = 0x00080000 0x00000000 0x00000000 0x00000000, rip = 0x00100000 0x00000000 0x00000000 0x00000000, ospf = 0x00200000 0x00000000 0x00000000 0x00000000, bgp = 0x00400000 0x00000000 0x00000000 0x00000000, vrrp = 0x00800000 0x00000000 0x00000000 0x00000000, ip-routing = 0x01000000 0x00000000 0x00000000 0x00000000, ip-xrout = 0x02000000 0x00000000 0x00000000 0x00000000, ipmr = 0x04000000 0x00000000 0x00000000 0x00000000, ipms = 0x08000000 0x00000000 0x00000000 0x00000000, vlan = 0x10000000 0x00000000 0x00000000 0x00000000, bridge = 0x20000000 0x00000000 0x00000000 0x00000000, stp = 0x40000000 0x00000000 0x00000000 0x00000000, 802.1q = 0x80000000 0x00000000 0x00000000 0x00000000, linkagg = 0x00000000 0x00000001 0x00000000 0x00000000, ip-helper = 0x00000000 0x00000002 0x00000000 0x00000000, link-fault-propogation = 0x00000000 0x00000004 0x00000000 0x00000000, fips = 0x00000000 0x00000008 0x00000000 0x00000000, dns = 0x00000000 0x00000010 0x00000000 0x00000000, qos = 0x00000000 0x00000020 0x00000000 0x00000000, policy = 0x00000000 0x00000040 0x00000000 0x00000000, slb = 0x00000000 0x00000080 0x00000000 0x00000000, session = 0x00000000 0x00000100 0x00000000 0x00000000, ipsec = 0x00000000 0x00000200 0x00000000 0x00000000, da-unp = 0x00000000 0x00000400 0x00000000 0x00000000, aaa = 0x00000000 0x00000800 0x00000000 0x00000000, ripng = 0x00000000 0x00001000 0x00000000 0x00000000, ospf3 = 0x00000000 0x00002000 0x00000000 0x00000000, isis = 0x00000000 0x00004000 0x00000000 0x00000000, netsec = 0x00000000 0x00008000 0x00000000 0x00000000, tftp-client = 0x00000000 0x00010000 0x00000000 0x00000000, vrf = 0x00000000 0x00020000 0x00000000 0x00000000, bfd = 0x00000000 0x00040000 0x00000000 0x00000000, mpls = 0x00000000 0x00080000 0x00000000 0x00000000, licence-manager = 0x00000000 0x00100000 0x00000000 0x00000000, ha-vlan = 0x00000000 0x00200000 0x00000000 0x00000000, multi-chassis = 0x00000000 0x00400000 0x00000000 0x00000000, capability = 0x00000000 0x00800000 0x00000000 0x00000000, vfc = 0x00000000 0x01000000 0x00000000 0x00000000, auth-vlans = 0x00000000 0x02000000 0x00000000 0x00000000, svcmgr = 0x00000000 0x04000000 0x00000000 0x00000000, iprout-grm = 0x00000000 0x08000000 0x00000000 0x00000000, vcm = 0x00000000 0x10000000 0x00000000 0x00000000, spb-isis = 0x00000000 0x20000000 0x00000000 0x00000000, evb = 0x00000000 0x40000000 0x00000000 0x00000000, appfp = 0x00000000 0x80000000 0x00000000 0x00000000, autofabric = 0x00000000 0x00000000 0x00000001 0x00000000, sip = 0x00000000 0x00000000 0x00000004 0x00000000, dpi = 0x00000000 0x00000000 0x00000008 0x00000000, isis-vc = 0x00000000 0x00000000 0x00000010 0x00000000, dhcpv6-server = 0x00000000 0x00000000 0x00000020 0x00000000, openflow = 0x00000000 0x00000000 0x00000040 0x00000000, dhcp-message-service = 0x00000000 0x00000000 0x00000080 0x00000000, dhcp-active-lease-service = 0x00000000 0x00000000 0x00000100 0x00000000, dhcp-server = 0x00000000 0x00000000 0x00000200 0x00000000, qmr = 0x00000000 0x00000000 0x00000400 0x00000000, appmon = 0x00000000 0x00000000 0x00000800 0x00000000, vmsnooping = 0x00000000 0x00000000 0x00001000 0x00000000, lbd = 0x00000000 0x00000000 0x00002000 0x00000000, remote-config = 0x00000000 0x00000000 0x00004000 0x00000000, pppoe-ia = 0x00000000 0x00000000 0x00008000 0x00000000, port-manager = 0x00000000 0x00000000 0x00010000 0x00000000, tcam-mgr = 0x00000000 0x00000000 0x00020000 0x00000000, sec-km = 0x00000000 0x00000000 0x00040000 0x00000000, alarm-manager = 0x00000000 0x00000000 0x00080000 0x00000000, device-profile = 0x00000000 0x00000000 0x00100000 0x00000000, storage-locking = 0x00000000 0x00000000 0x00200000 0x00000000, mrp = 0x00000000 0x00000000 0x00400000 0x00000000, pkgmgr = 0x00000000 0x00000000 0x00800000 0x00000000, lanpower = 0x00000000 0x00000000 0x01000000 0x00000000, domain-mpls = 0x00000000 0x00080000 0x00000000 0x00000000, domain-security = 0x00000000 0x02008f00 0x00040000 0x00000000, domain-policy = 0x00000000 0x000000e0 0x00020000 0x00000000, domain-service = 0x00000000 0x04000014 0x00000000 0x00000000, domain-physical = 0x0007e000 0x01c00000 0x00000000 0x00000000, domain-admin = 0x0000007f 0x00010000 0x000003A0 0x00000000, domain-network = 0x0ff80000 0x08067000 0x00000050 0x00000000, domain-layer2 = 0xf0000000 0xe0200003 0x00401000 0x00000000, domain-system = 0x00001f80 0x00100000 0x00A80000 0x00000000, domain-afn = 0x00000000 0x00000000 0x0010080c 0x00000000, domain-datacenter = 0x00000000 0x00000008 0x00000001 0x00000000, domain-vcm = 0x00000000 0x10000000 0x00000000 0x00000000,

Geko · August 29, 2022, 11:03am

Did anyone found a solution for this problem?

David1025 · August 29, 2022, 1:19pm

For anyone still looking for the solution to this. I have listed below the changes that I needed to make in order to get RADIUS working again on my switches to allow admin access to do everything on the switch. I am using freeRadius on a linux server.

You need to add the below syntax into your /usr/share/freeradius/dictionary.xylan it is: ATTRIBUTE Xylan-Acce-Priv-F-W3 45 octets

You then need to add the below syntax to your /etc/raddb/users it is: Xylan-Acce-Priv-F-W3 = 0xFFFFFFFF

So my group for radius looks like this below DEFAULT Group == "netadmins", Auth-Type := PAM Xylan-Asa-Access = "all", Xylan-Acce-Priv-F-W1 = 0xFFFFFFFF, Xylan-Acce-Priv-F-W2 = 0xFFFFFFFF, Xylan-Acce-Priv-F-W3 = 0xFFFFFFFF

Make sure that you remember the (,) at the end of the previous line when adding the new Xylan-Acce-Priv-F-W3 = 0xFFFFFFFF to your users file.

Once you have made these changes, restart the radiusd service and it should work again to give you full access to make changes on the switch.

Prior to the changes my user profile looked like this below:

Access type = ssh,

Access port = Ethernet,

IP address = X.X.X.X,

Read-only domains = AFN ,

Read-only families = auto-fabric isic-vc dhcpv6-server openflow dhcp-message-service dhcp-active-lease-service dhcp-server vm-snooping lbd remote-config pppoe-ia port-manager tcam-mgr sec-km alarm-manager storage-locking mrp pkgmgr lanpower ,

Read-Write domains = Services MPLS VCM ,

Read-Write families = file ssh scp-sftp telnet ntp dshell debug system aip snmp rmon webmgt config chassis module interface pmm port-mapping health ip rip ospf bgp vrrp ip-routing ipmr ipms vlan bridge stp 802.1Q linkaggregation ip-dhcp fips qos loadbalancing session ipsec da-unp aaa ripng ospfv3 isis netsec tftp vrf bfd-std licensing ha-vlan mcm capability vfc avlan grm spb-isis evb appfp

After the changes it looked like this below output and that is when you will know the changes have taken effect.

Access type = ssh, Access port = Ethernet, IP address = X.X.X.X, Read-only domains = None, Read-only families = , Read-Write domains = All , Read-Write families = ,

I hope this helps some people out there with this issue if they come accross it.