v1.5.25 Bug Reports and Comments

[oeyre]

We've now completed upgrading all devices to 1.5.25, no major issues observed.

[sirhc]

Looks like radius authentication isn't working for me on 1.5.25. Worked on a switch with 1.5.14, upgraded it to 1.5.25 and it stopped working. Just says "Invalid username or password"

freeRadius server doesn't throw any errors when running debugger.

Can anyone else confirm it works for them or is broken for them.

Based on answers I may pull Stephen to fix it.

Confirmed BROKEN.

Switch with 1.5.17rc1 and RADIUS config (also FreeRADIUS). Logged in with my RADIUS credentials to verify working.

Rebooted switch first (had been up for a long time) then updated it to 1.5.25. Logged back in and reset admin password.

Logged out and tried my RADIUS password... "Invalid username or password." Can still login with local admin (thankfully).

Also note that the log no longer shows user login events. The previous version was showing both admin and my user name logins when I tested it. 1.5.25 does not.

Well we will get it on the list to fix soon. - FreeRADIUS

[gilljr]

I upgraded a WS-12-250-DC running 1.5.14 to 1.5.25. The upgrade went smooth but post install I had an issue with the new password and tftp uploads of the backup. I have included the switch log for reference.

It would not perform auto updates. I tried disabling tftp, saving, reenabling tftp, and saving again but it would not perform the backup. I switched to a different PC to author this post and when I logged in to copy the log, the password had reverted back to admin. I changed it for a second time and now the auto backup is working.

Code: Select all

Jan 1 00:00:10 admin: stopped ntp daemon
Jan 1 00:00:10 admin: started ntp daemon
Jan 1 00:00:11 admin: sync time via ntp
Jan 1 00:00:14 system: Setting MAC address from flash configuration: EC:13:B2:81:59:BE
Jan 1 00:00:16 admin: stopped ntp daemon
Jan 1 00:00:16 admin: started ntp daemon
Jan 1 00:00:16 admin: sync time via ntp
Jan 1 00:00:18 admin: adding lan (eth0) to firewall zone lan
Jan 1 00:00:18 dropbear[844]: Running in background
Jan 1 00:00:19 netonix: 1.5.25 on WS-12-250-DC
Dec 31 17:00:45 admin: adding lan (eth0) to firewall zone lan
Dec 31 17:00:46 dropbear[1098]: Failed listening on '22': Error listening: Address already in use
Dec 31 17:00:46 dropbear[1105]: Running in background
Dec 31 17:00:46 admin: stopped ntp daemon
Dec 31 17:00:46 admin: started ntp daemon
Dec 31 17:00:46 admin: sync time via ntp
Dec 31 17:00:49 admin: removing lan (eth0.2001) from firewall zone lan
Dec 31 17:00:51 admin: stopped ntp daemon
Dec 31 17:00:51 admin: started ntp daemon
Dec 31 17:00:52 admin: sync time via ntp
Dec 31 17:00:54 admin: adding lan (eth0.2001) to firewall zone lan
Dec 31 17:00:55 admin: stopped ntp daemon
Dec 31 17:00:55 admin: started ntp daemon
Dec 31 17:00:55 admin: sync time via ntp
Feb 25 05:53:14 admin: upgrading certificate
Jan 1 00:00:12 switch[1542]: Detected warm boot
Jan 1 00:00:12 switch[1541]: temp sensor version 3
Jan 1 00:00:16 admin: stopped ntp daemon
Jan 1 00:00:16 admin: started ntp daemon
Jan 1 00:00:16 admin: sync time via ntp
Feb 25 05:54:02 UI[1506]: Configuration changed by admin (xxx.xxx.xxx.xxx)
Feb 25 05:54:02 UI[1506]: Config_Version: 27 => 28
Feb 25 05:54:02 UI[1506]: Credentials_Password => Updated
Feb 25 05:54:04 passwd: Password for admin changed by admin
Feb 25 05:54:09 monitor: restarting shellinaboxd
Feb 25 05:54:10 UI[1772]: Error occurred during TFTP auto backup: tftp: server error: (0) Permission denied
Feb 25 05:56:07 UI[1506]: Configuration changed by admin (xxx.xxx.xxx.xxx)
Feb 25 05:56:07 UI[1506]: Config_Version: 28 => 29
Feb 25 05:56:07 UI[1506]: Auto_Backup_Enable: true => false
Feb 25 05:56:12 UI[1506]: Configuration changed by admin (xxx.xxx.xxx.xxx)
Feb 25 05:56:12 UI[1506]: Config_Version: 29 => 30
Feb 25 05:56:12 UI[1506]: Auto_Backup_Enable: false => true
Feb 25 05:56:22 UI[2301]: Error occurred during TFTP auto backup: tftp: server error: (0) Permission denied
Feb 25 06:06:37 UI[1506]: Configuration changed by admin (xxx.xxx.xxx.xxx)
Feb 25 06:06:37 UI[1506]: Config_Version: 30 => 31
Feb 25 06:06:37 UI[1506]: Credentials_Password => Updated
Feb 25 06:06:38 passwd: Password for admin changed by admin
Feb 25 06:06:48 monitor: restarting shellinaboxd
Feb 25 06:06:49 UI[1005]: Configuration auto backup successful


[gilljr]

I also can verify that radius broke with the update from 1.5.14 to 1.5.25. I forgot to note it in my previous post and I know that this was reported by another user earlier.

[wirelessblue]

I have a WS-26-400-AC that has been running on 1.5.14 for a very long time. I upgraded it to 1.5.25 about a week ago and I have had four lockups now. I'm not sure exactly what is happening but all of a sudden no traffic will pass and I can't ping or SSH into the switch. It's my primary switch so I have not had time to see what's going on at the console. Maybe there is some sort of other hardware issue or something which could be causing trouble. I'm not really sure. Has anyone else seen anything like this? I have no issues with any of the other WS-12-250-DC, WS-8-150-AC, WS-8-150-DC, WS-26, and WS-26-500-DC switch with 1.5.25.

[sirhc]

I have a WS-26-400-AC that has been running on 1.5.14 for a very long time. I upgraded it to 1.5.25 about a week ago and I have had four lockups now. I'm not sure exactly what is happening but all of a sudden no traffic will pass and I can't ping or SSH into the switch. It's my primary switch so I have not had time to see what's going on at the console. Maybe there is some sort of other hardware issue or something which could be causing trouble. I'm not really sure. Has anyone else seen anything like this? I have no issues with any of the other WS-12-250-DC, WS-8-150-AC, WS-8-150-DC, WS-26, and WS-26-500-DC switch with 1.5.25.

Most of my tower switches are either the original ws-24-400-ac or ws-26-400-ac. I have zero issues with them?

Go back to v1.5.14 but enable access control to prevent hack. See if issue goes away but using but I doubt it v1.5.25 is best firmware yet.

Let me know your outcome.

Or you could try factory default and re set up manually as could be corrupted config. I try this first.

Also check all your current sensors for proper watts which if not could indicate a damaged unit.

Or swap it out with spare unit but would suggest upgrade, default, manually set up.

[wirelessblue]

I have a WS-26-400-AC that has been running on 1.5.14 for a very long time. I upgraded it to 1.5.25 about a week ago and I have had four lockups now. I'm not sure exactly what is happening but all of a sudden no traffic will pass and I can't ping or SSH into the switch. It's my primary switch so I have not had time to see what's going on at the console. Maybe there is some sort of other hardware issue or something which could be causing trouble. I'm not really sure. Has anyone else seen anything like this? I have no issues with any of the other WS-12-250-DC, WS-8-150-AC, WS-8-150-DC, WS-26, and WS-26-500-DC switch with 1.5.25.

Most of my tower switches are either the original ws-24-400-ac or ws-26-400-ac. I have zero issues with them?

Go back to v1.5.14 but enable access control to prevent hack. See if issue goes away but using but I doubt it v1.5.25 is best firmware yet.

Let me know your outcome.

Or you could try factory default and re set up manually as could be corrupted config. I try this first.

Also check all your current sensors for proper watts which if not could indicate a damaged unit.

Or swap it out with spare unit but would suggest upgrade, default, manually set up.

I will try factory defaulting it. Thank you.

[Stephen]

Regarding Issues with FreeRadius Login

I have taken some time off our new product line to look into this.

The radius client in the new firmware was upgraded during the openssl upgrade that took place awhile back. This was part of our effort to prevent hacking that clients were dealing with at the time and upgrading freeradius was necessary to work with the new version of openssl.

As a consequence of this, the radius request to the server from the switch now includes the Message-Authenticator header.
It seems this may or may not result in a failure attempt for authentication depending on your network and other policies on freeradius (including the version of freeradius).

This header is there to help prevent the BlastRADIUS vulnerability and it is another potential vector that could have been taken advantage of during that time.

FreeRadius Server Configuration Changes

In my own testing I didn't have issue's with logging in, but if you are experiencing these problems you should be able to fix it by modifying your clients.conf file on your freeradius server as follows:

Code: Select all

client switch {
 ipaddr = <your switch's IP>
 secret = <shared secret with switch>
 require_message_authenticator = true <--- add this line
}


And then restart freeradius.

This will cause freeradius to support encryption using the new header requested by the client on the switch and authentication should be successful.


Final Notes
The minimum version of freeradius required for this to work is 2.1.10. If you are on 3.2.2+ this policy is automatically enforced based on the client request and you don't need to add this modification to your clients.conf

It is strongly advised to upgrade your freeradius server to at least 3.0


This was the only thing that turned up during testing so if you are still experiencing issue's after making this change, please provide us with more details on your configuration on your server and your switch so we can try to fix the issue.

[sakita]

What about the switch event logs not including login events (success or failure)?

[sirhc]

What about the switch event logs not including login events (success or failure)?

I'll ask Stephen to look at that next time he revisits WS or when he needsxa break from WS4.

I consider this event as minor albeit should be fixed you are correct.

We are pushing hard to catch up with WS4 pre production sale.

So existing models have been finalized.

WS4-14- 600-AC / 600-DC / 400-IDC
(2) SFP+ ports
(12) 2.5G POE ports
We dropped External temp humidity sensor, door open sensor, and external relay to control external device such as fans AC or DC

WS4-6-MINI
Same as WS-6-MINI except no barrel connector POE power in on port 1 only but if powered by WS4-14 you have 200 watts. Almost same size but 1 inch longer. Will still fit in same box.

WS4-8-250-AC or DC
(2) SFP+
(6) 2.5G POE ports

WS4-14-TOWER
(2) SFP+ ports
(12) 2.5G POE ports
In an all weather metal chassis tower mountable.
Meant to be fiber/composit fed for data/power

WS4-6- 600-AC / 600-DC / 400-IDC
(2) SFP+ ports
(4) 2.5G POE ports

Used to power tower switch(s) and or up to 4 other devices including WS4-6-MINI(s)

These unit initially will have same feature set as WS line but will get via firmware upgrade routing including OSPF / BGP (not capable of world routes)

Extensive bandwidth control ability via rules sets.

They fearure isolated power supplies, upgraded current sensors and MOSFETS to better harden against ground current and poor grounding.

Tenitive pre sales release small run of WS4-14 and WS4-6 is set for end of April beginning of May.

We dropped the external sensors to keep costs down as Dave thought not many would use

If you disagree speak now or forever hold your peace.