v1.5.25 Bug Reports and Comments

[sirhc]

Here is a screen shot of one of my switches.

This is at main tower where main feed comes in so I left this switch upgrade go until last so it went from v1.5.14 or v1.5.16 to v1.5.25

I just logged into it via UI - ALL GOOD
I also logged into it via SSH - ALL GOOD

I tried to login to UI and SSH via password "admin" and both failed.

As you can see they have been up 64+ days.

[Dawizman]

As mentioned above, I have one switch sitting in this reverted state if there's anything Stephen can pull from it from diagnostic purposes. On the web ui, only admin will work, and from ssh both admin and my configured password are working.

[sirhc]

As mentioned above, I have one switch sitting in this reverted state if there's anything Stephen can pull from it from diagnostic purposes. On the web ui, only admin will work, and from ssh both admin and my configured password are working.

Export config email to Stephen

Then Sadly factory default setup and reconfigure manually. Suspect corrupted config.

But if you have a spare switch default then set it up to mimic troubled unit, export config from spare and then import to switch with issue. SHOULD RESOLVE ISSUE WITHOUT MAJOR DOWN TIME OR TRUCK ROLL.

[Dawizman]

Changing the password after a password self reversion will correct the issue every time so far. This marks 6 out of 12 switches updated where the password has changed, and they have all held the password after changing it a second time. 230 left to go on my network, really hoping it doesn't result in having to mess around creating and loading backup configs on half of them, so hopefully this bug can be found.

I sent Stephen a config & log last night, as well as some further details.

[bipbaep]

Does anyone else experience that PoE on ports "restarts" (goes off and then on) on ports for about 1 sec. on the WS-8-150-AC switch?
We have all types of switches from Netonix, and this issue only occures on WS-8-150-AC with 1.5.25 (have not tried all firmwares between 1.5.16 and 1.5.25).
Reverting back to 1.5.16 fixes the issue.
Powering up the switch and it gives PoE stable between 10- and 60 minutes. Then it suddenly starts to shut off PoE for 1 sec., just enough for the devices connected to loose power, and then it automatically enables PoE for about 2 minutes. Then it can do this continuous for about 1- 2 hours, and then all of a sudden it's all fine and delivers PoE without shuting it off.

This have happened on all 10 WS-8-150-AC switches we have tested.
The logs don't show anything else than that the ethernet goes down and up. Says nothing about PoE.

[sirhc]

Does anyone else experience that PoE on ports "restarts" (goes off and then on) on ports for about 1 sec. on the WS-8-150-AC switch?
We have all types of switches from Netonix, and this issue only occures on WS-8-150-AC with 1.5.25 (have not tried all firmwares between 1.5.16 and 1.5.25).
Reverting back to 1.5.16 fixes the issue.
Powering up the switch and it gives PoE stable between 10- and 60 minutes. Then it suddenly starts to shut off PoE for 1 sec., just enough for the devices connected to loose power, and then it automatically enables PoE for about 2 minutes. Then it can do this continuous for about 1- 2 hours, and then all of a sudden it's all fine and delivers PoE without shuting it off.

This have happened on all 10 WS-8-150-AC switches we have tested.
The logs don't show anything else than that the ethernet goes down and up. Says nothing about PoE.

Don't see it asking community to wheigh in. Since all switches use same SOC, same firmware, same power circuits you would think an issue like this would effect all models the same.

Literally the entire WS line is cut and paste circuit design for the most part just smaller power supply less ports.

I would try factory default manual setup on one unit. Since one of our functions is the ability to turn POE on and off via time a corrupted config could be an issue. Based on your upgrade path over the years something could have gotten smudged.

Also there are tens of thousands of WS-8-150-AC in the wild this is first we heard of it and v1.
5.25 has been out several months....

[gilljr]

Regarding Issues with FreeRadius Login

I have taken some time off our new product line to look into this.

The radius client in the new firmware was upgraded during the openssl upgrade that took place awhile back. This was part of our effort to prevent hacking that clients were dealing with at the time and upgrading freeradius was necessary to work with the new version of openssl.

As a consequence of this, the radius request to the server from the switch now includes the Message-Authenticator header.
It seems this may or may not result in a failure attempt for authentication depending on your network and other policies on freeradius (including the version of freeradius).

This header is there to help prevent the BlastRADIUS vulnerability and it is another potential vector that could have been taken advantage of during that time.

FreeRadius Server Configuration Changes

In my own testing I didn't have issue's with logging in, but if you are experiencing these problems you should be able to fix it by modifying your clients.conf file on your freeradius server as follows:

Code: Select all

client switch {
 ipaddr = <your switch's IP>
 secret = <shared secret with switch>
 require_message_authenticator = true <--- add this line
}


And then restart freeradius.

This will cause freeradius to support encryption using the new header requested by the client on the switch and authentication should be successful.


Final Notes
The minimum version of freeradius required for this to work is 2.1.10. If you are on 3.2.2+ this policy is automatically enforced based on the client request and you don't need to add this modification to your clients.conf

It is strongly advised to upgrade your freeradius server to at least 3.0


This was the only thing that turned up during testing so if you are still experiencing issue's after making this change, please provide us with more details on your configuration on your server and your switch so we can try to fix the issue.

I reviewed your response and am still having the radius issue. My radius server did not have the flag mentioned enabled. I went ahead and spun up a new virtual machine and migrated my radius database to it (It was on an old unsupported OS so it was due for an update).

I tried it with both "require_message_authenticator = auto" and "require_message_authenticator = true". In both cases I still could not get radius to work.

I know that the flag is working as the newer releases of the Mikrotik OS require it by default and now authenticating on Mikrotik works where it did not before without disabling the flag on the Mikrotik.

Could it be the attributes or something else? On auto, this server is working on my Netonix switches using older software. Below is my radius output saying that my test user authenticated successfully.

(141) Received Access-Request Id 126 from <<Netonix IP>>:50223 to <<Radius IP>>:1812 length 64
(141) User-Name = "UUUUU"
(141) User-Password = "PPPPP"
(141) Message-Authenticator = 0xccfe2962b11211636d7b7b71b53559c9
(141) # Executing section authorize from file /etc/raddb/sites-enabled/default
(141) authorize {
(141) policy filter_username {
(141) if (&User-Name) {
(141) if (&User-Name) -> TRUE
(141) if (&User-Name) {
(141) if (&User-Name =~ / /) {
(141) if (&User-Name =~ / /) -> FALSE
(141) if (&User-Name =~ /@[^@]*@/ ) {
(141) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(141) if (&User-Name =~ /\.\./ ) {
(141) if (&User-Name =~ /\.\./ ) -> FALSE
(141) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(141) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(141) if (&User-Name =~ /\.$/) {
(141) if (&User-Name =~ /\.$/) -> FALSE
(141) if (&User-Name =~ /@\./) {
(141) if (&User-Name =~ /@\./) -> FALSE
(141) } # if (&User-Name) = notfound
(141) } # policy filter_username = notfound
(141) [preprocess] = ok
(141) [chap] = noop
(141) [mschap] = noop
(141) [digest] = noop
(141) suffix: Checking for suffix after "@"
(141) suffix: No '@' in User-Name = "UUUUU", looking up realm NULL
(141) suffix: No such realm "NULL"
(141) [suffix] = noop
(141) eap: No EAP-Message, not doing EAP
(141) [eap] = noop
(141) [files] = noop
(141) sql: EXPAND %{User-Name}
(141) sql: --> UUUUU
(141) sql: SQL-User-Name set to 'UUUUU'
rlm_sql (sql): Reserved connection (10)
(141) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(141) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'UUUUU' ORDER BY id
(141) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'UUUUU' ORDER BY id
(141) sql: User found in radcheck table
(141) sql: Conditional check items matched, merging assignment check items
(141) sql: Cleartext-Password := "PPPPP"
(141) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(141) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'UUUUU' ORDER BY id
(141) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'UUUUU' ORDER BY id
rlm_sql (sql): Reserved connection (11)
rlm_sql (sql): Released connection (11)
(141) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(141) sql: --> SELECT groupname FROM radusergroup WHERE username = 'UUUUU' ORDER BY priority
(141) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'UUUUU' ORDER BY priority
(141) sql: User not found in any groups
rlm_sql (sql): Released connection (10)
(141) [sql] = ok
(141) [expiration] = noop
(141) [logintime] = noop
(141) [pap] = updated
(141) } # authorize = updated
(141) Found Auth-Type = PAP
(141) # Executing group from file /etc/raddb/sites-enabled/default
(141) Auth-Type PAP {
(141) pap: Login attempt with password
(141) pap: Comparing with "known good" Cleartext-Password
(141) pap: User authenticated successfully
(141) [pap] = ok
(141) } # Auth-Type PAP = ok
(141) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(141) post-auth {
(141) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
(141) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
(141) update {
(141) No attributes updated for RHS &session-state:
(141) } # update = noop
(141) sql: EXPAND .query
(141) sql: --> .query
(141) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (19)
(141) sql: EXPAND %{User-Name}
(141) sql: --> UUUUU
(141) sql: SQL-User-Name set to 'UUUUU'
(141) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S.%M')
(141) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'UUUUU', 'PPPPP', 'Access-Accept', '2025-04-16 10:42:49.714998')
(141) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'UUUUU', 'PPPPP', 'Access-Accept', '2025-04-16 10:42:49.714998')
(141) sql: SQL query returned: success
(141) sql: 1 record(s) updated
rlm_sql (sql): Released connection (19)
(141) [sql] = ok
(141) [exec] = noop
(141) policy remove_reply_message_if_eap {
(141) if (&reply:EAP-Message && &reply:Reply-Message) {
(141) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(141) else {
(141) [noop] = noop
(141) } # else = noop
(141) } # policy remove_reply_message_if_eap = noop
(141) } # post-auth = ok
(141) Sent Access-Accept Id 126 from <<Radius IP>>:1812 to <<Netonix IP>>:50223 length 38
(141) Finished request
Waking up in 4.9 seconds.
(141) Cleaning up request packet ID 126 with timestamp +370 due to cleanup_delay was reached
Ready to process requests

[sirhc]

Would be nice for the community to weight in.

Are there any users using free radius and it works for them?

We have tested this on our side and it works.

Would be nice to hear from more people, hopefully some that say it works and others that may have issues then compare info to see what is different from those that work and those that do not.

[gilljr]

Would be nice for the community to weight in.

Are there any users using free radius and it works for them?

We have tested this on our side and it works.

Would be nice to hear from more people, hopefully some that say it works and others that may have issues then compare info to see what is different from those that work and those that do not.

Thank you for the suggestion. I agree as I want to see what I maybe doing incorrectly if this is not a bug issue.

I am using the latest in Rocky Linux 9 with the latest updates using Freeradius from their repository with a mysql backend. I am happy to spin up another machine using a different Linux variant and Freeradius variant that is known to work to be proved wrong.

Linux XXXXX 5.14.0-503.35.1.el9_5.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Apr 3 12:12:16 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

radiusd: FreeRADIUS Version 3.0.21, for host x86_64-redhat-linux-gnu
FreeRADIUS Version 3.0.21
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT

[shahan]

Upgraded to 1.5.25. Some of the switches do not have the reconfirm password option in the GUI.

I can successfully SSH into the device and enter configure.

When trying to set the credentials by typing credentials - enter. It spits back an invalid command. I have tried all the variations of credentials that I can think of and even tried the ? to make sure everything was spelled correctly. Is there a fix for this?

I also tried a few other commands to see if "credentials" was the only having issues, but most of the other ones are outputting the same invalid command. Any help would be appreciated.