Log into switch with LDAP credentials


Userlevel 1
Currently, we are using accounts created on each switch in order to be able to login.

We do have Extreme Management Center 8.x installed (we have NAC but don't have it fully configured/deployed yet) and have it configured so that users can login to EMC with their LDAP credentials. I know that a user can then use the "Open Device Terminal" via EMC, but we want to know if it is possible (and how we would configure it) so that we can use LDAP accounts instead when they start up PuTTY and SSH to a switch? I have read lots of different posts/articles on this and my head is swimming and need some guidance/clarity. Thanks!

18 replies

Userlevel 6
Hello,

At this time we can only use the login credentials that were configured under the profile that has been mapped to the switch.

There have been feature requests submitted to be able to submit unique credentials with the "Open Device Terminal" feature to allow tracking of specific users.

Thanks
-Ryan
Userlevel 1
And there is no way on the switch to point it to an LDAP server to check credentials? Our only option to login is to either create a local account on the switch or use the account that has been configured via the "Open Device Terminal" and using the one set of credentials associated with that profile? There is no LDAP lookup option that can be configured on the switch to use a network account to login rather than a local account?

I swear I heard someone say at Extreme Connect that this could be done (use their LDAP credentials to login to a switch via a regular SSH PuTTY session).
Userlevel 6
Correct,

The switch can be configured for RADIUS management login. If you use putty or other remote SSH/telnet tool you will be asked to input credentials. You can send these to NAC which can be pointed to Active Directory for authentication of those credentials.

Here is an article that should help with NAC configuration:

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-NAC-to-handle-Management-...

The "Open Device Terminal" feature does not allow you to input credentials though. Putty, TerraTerm, other remote tools will allow this and it can be done with NAC.

Thanks
-Ryan
Userlevel 1
No luck. I attempted to follow those steps in 8.x and think I have it setup, but a login to the switch using my AD account (which is in the AD "XOS Administrators") group returns "Access Denied". Pictures below.













Userlevel 7
You haven't mentioned whether you've configured the switch for mgmt access authentication via CLI - that would be #2 in the KB article
"Configure the Switches to send management RADIUS requests to the NAC appliance."

As per the last screenshot the config that was done via XMC includes only network access.

!!! don't play around with mgmt access on a production switch - use a test node - or you'd end up with no access in case something is configured not correcty = would be a good idea to configure local fallback !!!
Userlevel 1
Yes, we are doing this on a test node.

I could not find the specific KB article. I found this one, https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-RADIUS-authentication-for... but I don't think it is the one we want as we are using LDAP and not RADIUS.
Userlevel 7
Stephen Stormont wrote:

Yes, we are doing this on a test node.

I could not find the specific KB article. I found this one, https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-RADIUS-authentication-for... but I don't think it is the one we want as we are using LDAP and not RADIUS.

NAC is the RADIUS server and NAC is using your AD (LDAP) to access the user/pw information.
Userlevel 2
Please check your Attribute values, it is not complete, it should have the OU .
Userlevel 7
If you don't know the exact attribute string you'd find it very easily...

- open the NAC Manager Java app
- go to advanced config
- select the LDAP server
- click on Test
- User Search and put in the username and click Search

In the output you'd see the full attribute string - copy/paste that in the XOS Admin Group.

Userlevel 1
Yes, this is a test node. Our SA warned us to not try anything (mgmt access, etc.) on production.

I had not made any of the RADIUS changes from the KB article that I linked, but I didn't have to. I changed the Attribute Value to have the correct OU and now things are working. I guess the RADIUS settings are automatically applied to the switch with no need for the user to make the changes.

Now I am trying to figure out how to add a second rule that will allow the local xmc-cli account on the switch to be able to login as well. This logic doesn't seem to do it.

Userlevel 7
Yes NAC will configure the switch IF you set it correctly and that it's the weird thing in this case.

If you take a look on the last screenshot that you've posted the "auth access type" of the switch is set to network access (= auth for the switch ports but not mgmt access).

That would result in the following switch config...

X440G2.10 # show configuration | i radius
configure radius netlogin 1 server 172.24.24.115 1812 client-ip 172.25.25.156 vr VR-Default
configure radius 1 shared-secret encrypted "#$5gX1NdKu8lL4ySMdBGwB5r1OKu63HA=="
enable radius
disable radius mgmt-access
enable radius netlogin
configure radius timeout 15

As you'd see mgmt-access is disabled.

If you set the NAC switch "auth access type" config to "any acccess" the switch config will also enable radius mgmt-access

X440G2.13 # show configuration | i radius
configure radius 1 server 172.24.24.115 1812 client-ip 172.25.25.156 vr VR-Default
configure radius 1 shared-secret encrypted "#$BqoJkduxAo0xMnKL2uknMYMFLU3Mow=="
enable radius
enable radius mgmt-access
enable radius netlogin
configure radius timeout 15

Some things to keep in mind after some testing...
- it will take 2-3 minutes for NAC to update the switch config - don't test before that is done, check the swtich config
- if you set any auth and then switch back to only network access NAC will not disable back the radius mgmt-access config (not sure whether that is a bug) - in case you'd like to disable it you'd need to do it via switch CLI
Userlevel 7

Now I am trying to figure out how to add a second rule that will allow the local xmc-cli account on the switch to be able to login as well. This logic doesn't seem to do it.

I don't think that is possible because of the rule before = NAC checks LDAP and it doesn't match and that answer is send back to the switch = failed authentication.
The request never get's to the second rule.

The only thing you'd do is to add the user/pw to the same LDAP group.
Userlevel 1
Now I am confused (or most likely am just going about this the wrong way). We want to be able to use our AD accounts to login to the switches, which we now now have working. We also need the "CLI credentials" specified in "Administration -> Profiles" to be able to login to the switch to backup configs and login when a console is opened from Extreme Management Center. You can't specify an AD account in the CLI credentials settings screen, so how do we get AD logins and the login from the the local xmc-cli account to work?
Userlevel 7
Stephen Stormont wrote:

Now I am confused (or most likely am just going about this the wrong way). We want to be able to use our AD accounts to login to the switches, which we now now have working. We also need the "CLI credentials" specified in "Administration -> Profiles" to be able to login to the switch to backup configs and login when a console is opened from Extreme Management Center. You can't specify an AD account in the CLI credentials settings screen, so how do we get AD logins and the login from the the local xmc-cli account to work?

Let's say that the user in the Administration -> Profiles is admin, just create a user admin in the AD XOS_Administrators group with the same password that is set in the profiles.

I'm not sure whether there is another solution to the requirement.
Userlevel 1
Stephen Stormont wrote:

Now I am confused (or most likely am just going about this the wrong way). We want to be able to use our AD accounts to login to the switches, which we now now have working. We also need the "CLI credentials" specified in "Administration -> Profiles" to be able to login to the switch to backup configs and login when a console is opened from Extreme Management Center. You can't specify an AD account in the CLI credentials settings screen, so how do we get AD logins and the login from the the local xmc-cli account to work?

That did work (create an AD account called xmc-cli, add it to the domain 'XOS Administrators" account, and then log into the switch as there is now an account that has the same name).

I guess we then just have to remember to update the PW in AD, update it in the "CLI credentials" section of XMC, and update it on each switch for consistency when we change the PW.
Userlevel 1
I had RADIUS logins using AD accounts working, we wiped the switch, and now I can't duplicate what I had done. The switch config is now this:

* Summit-CV-Core.15 # show config | i radius
configure radius mgmt-access primary server 172.22.64.46 1812 client-ip 172.22.32.1 vr VR-Default
configure radius mgmt-access primary shared-secret encrypted "I)sGr8lkuGSTtmo/HA{7?;"
enable radius mgmt-access
enable radius netlogin

But now when trying to login with an AD account that is a member of the "XOS Adminsitrators" AD group, we get this in the logs:

07/12/2018 23:05:58.09 Login failed for user zzhoppy through ssh (172.21.128.29)
07/12/2018 23:05:58.09 No response from server 172.22.64.46 trying local.
07/12/2018 23:05:58.09 No servers responding
07/12/2018 23:05:55.09 Resend request to Authentication Server address 172.22.64.46 current request count is 2
07/12/2018 23:05:52.08 Resend request to Authentication Server address 172.22.64.46 current request count is 1
Userlevel 6
Take a trace on the configured RADIUS server and verify it's receiving RADIUS traffic.

If receiving the traffic make sure that your RADIUS shared secret matches on NAC and on the switch.

You can check the /var/log/radius/radius.log to see if there are any "unauthorized" messages.

Thanks
-Ryan
Userlevel 1
Not sure what it was, but I deleted the switches from the "Switches" section of the Engine Settings, re-added them, and now authentication is working. Oddly, when the settings were added via XMC, they now include "1" and "2" after "config radius mgmt-access", instead of "primary" and "secondary" (which is what is listed as part of the commands to run as per https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-RADIUS-authentication-for...)

configure radius mgmt-access 1 server 172.22.16.94 1812 client-ip 172.22.32.105 vr VR-Default
configure radius 1 shared-secret encrypted "#$MwNdSNk2RwKIdgQsGIaqIMkJWRUPRKEFbmVn58wQkxaVA6imbAc="
configure radius mgmt-access 2 server 172.22.64.46 1812 client-ip 172.22.32.105 vr VR-Default
configure radius 2 shared-secret encrypted "#$tZZbcU8GAbLVTAQY1t4BEChE2BHd7Q88XXCtprfAMcTAHBBYwbw="

Reply