GS2210-48p randomly stops sending Radius requests

So I've noticed this a few times now.  Randomly on some of the 60+ switches I have had them become inaccessible from login (both webpage and SSH).  I can usually go into radius and disable the client then proceed to SSH into switch with the local creds.  But the only way to get the switch back to talking through Radius is to reboot the entire switch itself.

Logs on switch itself state that it does flip between the 2 radius servers I have configured then a no authentication message.
1 May 20 12:11:31 WA authentication: RADIUS Authentication - change RADIUS server from 1 to 2
   2 May 20 12:10:04 NO authentication: SSH authentication failure [username: Name, IP address = 172.xxx.xxx.xxx]
Firmware Version - V4.50(AAHV.2) | 02/27/2018

I haven't tried the latest firmware yet, This switch has also been up for 357 days, but this shouldn't stop the radius server.
Anyone else having experience this issue?  Is there a way to just restart the radius service without disrupting the site connected to this switch?  The external logging server never actually shows a radius request leaving the switch until after the restart also.

All Replies

  • Zyxel_LuciousZyxel_Lucious Zyxel Official Agent Posts: 217  mod
    edited May 22, 2020 3:16PM
    Hi @Kevin_FT

    For starters, it's recommended to upgrade to latest 4.50(AAHV.3)C0 which includes the new bugfix.
    As for your issue:
    1. What is the frequency of the "stop sending" symptom?
    2. May I know what RADIUS servers you are using?
    3. Could you provide the config (including AAA setting) for us?

    Zyxel_Lucious

  • Kevin_FTKevin_FT Member Posts: 4
    1. No direct frequency as I'd have to pour through daily config downloads to find out when that stopped.
    2. Microsoft NPS V10.0.17763.1
    3. 
    hostname "GS2210"
    time timezone -700
    time daylight-saving-time
    time daylight-saving-time start-date second sunday march 2
    time daylight-saving-time end-date first sunday november 2
    timesync server 172.xx.xx.xx
    timesync ntp
    snmp-server version v3v2c
    snmp-server get-community XXXXXXXX
    snmp-server set-community XXXXXXXX
    snmp-server trap-community XXXXXXXX
    snmp-server trap-destination 172.xx.xx.xx
    snmp-server trap-destination 172.xx.xx.xx enable traps interface  linkup linkdown lldp transceiver-ddm storm-control zuld
    snmp-server trap-destination 172.xx.xx.xx enable traps switch  mactable
    service-control http 80 5
    remote-management 2
    remote-management 3
    remote-management 4
    remote-management 1 start-addr 172.xx.xx.xx end-addr 172.xx.xx.xx service telnet ftp http icmp snmp ssh https
    remote-management 2 start-addr 172.xx.xx.xx end-addr 172.xx.xx.xx service ftp icmp snmp ssh https
    remote-management 3 start-addr 172.xx.xx.xx end-addr 172.xx.xx.xx service ftp icmp snmp ssh https
    remote-management 4 start-addr 172.xx.xx.xx end-addr 172.xx.xx.xx service ftp icmp snmp ssh https
    syslog
    syslog type system
    syslog type interface
    syslog type switch
    syslog type aaa
    syslog type ip
    syslog server 172.xx.xx.xx level 6
    aaa accounting system radius broadcast
    aaa accounting exec start-stop radius broadcast
    aaa accounting dot1x start-stop radius broadcast
    aaa accounting commands 0 stop-only tacacs+ broadcast

    The one odd piece which leads me to believe that AAA requests are being sent is that SSH will accept the local logins with the radius client enabled, but no AD creds.  The webpage will not accept the local creds, or AD creds until I disable the client on the radius server, which will enable the local logins only.
  • Zyxel_LuciousZyxel_Lucious Zyxel Official Agent Posts: 217  mod
    @Kevin_FT

    From your config I don't see config about authentication (in AAA setup) and RADIUS server.
    Can you give me the complete config by PM?
  • Zyxel_LuciousZyxel_Lucious Zyxel Official Agent Posts: 217  mod
    edited May 28, 2020 5:08PM
    @Kevin_FT

    We've tested locally with 2 RADIUS servers working with GS2210 and seemed working fine when flipping between servers.


    Maybe you should check if any abnormal log in the 2nd RADIUS server?
Sign In to comment.