Skip to main content (Press Enter).
Sign In
Skip auxiliary navigation (Press Enter).
Terms and Conditions
Concierge Desk
Advance with us!
Skip main navigation (Press Enter).
Toggle navigation
Search Options
Home
Recent Posts
Community List
Network Management & Authentication
Wireless
Switching & Routing
SD-WAN
Product Announcements
Training, Documentation, & General Discussions
Technical Discussion
Applications
Legacy
Directory
Events
Help/FAQs
Communities
Community Home
Discussion
View Question
ExtremeCloud A3
Network Management & Authentication
View Only
Community Home
Threads
125
Library
1
Members
40
Back to {0}
How to configure radius authentication for EXOS switch management
Thread closed by the administrator, not accepting new replies.
Add a tag
x
User Tags may not contain the following characters: @ # $ & :
MLD
posted 01-05-2022 15:40
Hello,
I'm trying to configure A3 as our radius-mgmt server for switch authentication. I found an older article that mentions only
Cicso Management Authentications are supported? The EXOS switch is a 440G2 running 31.3.1.3-patch1-10, with radius mgmt-access enabled and correct shared-secret. I enabled 'CLI Access' under the device settings as well. The RADIUS log show 'Auth Rejected' and I'm not sure what step/filter I might be missing.
Any guidance or step-by-step guides you can provide would be great.
Thanks,
Matt
OscarK
posted 01-06-2022 05:57
Hi, this should be possible nowadays with A3.
In System Configuration/Admin Access add a new admin role, give it Switches Cli Read or Write.
In your authentication source add an admin access rule and set the access-level to the admin access role you defined.
MLD
posted 01-06-2022 11:54
Forgot to mention that step as well, I created a new admin profile "Switch CLI" with both read and write switch cli access. That profile was added under my authentication source / administration rules / switch cli...
My auth source uses AD with ldap condition to match my account to the administration rule. I also added 'Connection Type' equals CLI-Access as a filter under my connection profile. The connection profile is set to Filters 'any'
OscarK
posted 01-12-2022 07:57
I just got it working using local user accounts on A3.
See below article.
https://extremeportal.force.com/ExtrArticleDetail?an=000060486
MLD
posted 01-13-2022 09:01
Thanks for the article. Is it possible to query an internal AD source for the user instead of creating the admin accounts locally?
OscarK
posted 01-13-2022 09:16
One important thing, you need to configure port 1815 for mgmt-access instead of 1812. However in my tests it did not make a difference and I could only authenticate through local A3 users, however I am checking why ldap does not work.
MLD
posted 01-19-2022 14:32
I upgraded to 4.0 today and re-tested with no luck. I also changed the radius mgmt-access port to 1815.
Do you think a connection profile needs to be setup as well? I noticed the NAS-Port-Type is Virtual and I have no connection profile setup for that type of connection. I do have a separate profile with the connection type set to CLI-Access using my internal AD/LDAP source
OscarK
posted 01-20-2022 02:25
Hi, the connection profile that you hit should have the right auhtentication source added to it.
In my lab a bug was found in the extreme library handling snmp and we can change that file to fix it.
If you open a case with Extreme Networks and ask it to be assigned to me (Oscar Koot) we can check if the same fix helps for you.
MLD
posted 01-20-2022 14:32
Thanks Oscar!
Can you send me your local user auth setup? I'd like to test that as well, maybe using A3 local user auth is the better option here.
OscarK
posted 01-21-2022 02:29
Hi,
in the connection profile I have 1 profile that filters simply on device IP for test but in a real network you should match on the right connection type or maybe port.
In the sources of the profile add local.
Create a local user and set the actions to the correct access-level. Make sure the time/date are good. There were issue's where the user could only login the next day as the start time was set wrong.
MLD
posted 01-26-2022 14:38
I was testing some other features with A3 so I just got back to this. Can you send me a screenshot of your setup?
Here's the RADIUS log entry for the test account I setup...
RADIUS Request
User-Name = "testuser" User-Password = "******" NAS-IP-Address = 10.10.200.1 NAS-Port = 0 Service-Type = Login-User Called-Station-Id = "00:04:96:9e:57:50" Calling-Station-Id = "10.24.156.103" NAS-Identifier = "lab_es01" Proxy-State = 0x3834 NAS-Port-Type = Virtual Event-Timestamp = "Jan 26 2022 14:25:16 EST" Message-Authenticator = 0xa44631837f24d451e2bc18af610cf90e Stripped-User-Name = "testuser" Realm = "null" FreeRADIUS-Client-IP-Address = 10.24.10.156 PacketFence-KeyBalanced = "8d43c43cef1ed029bd9bb5b119c2518d" PacketFence-Radius-Ip = "10.24.10.155" PacketFence-Src-Ip = "10.10.200.1" SQL-User-Name = "testuser"
RADIUS Reply
Reply-Message = "Mac is empty" Proxy-State = 0x3834
OscarK
posted 01-27-2022 02:48
Connection Profile
Authentication source
Auth source rule
Contact Us
Contact Us:
Sam Pirok
Community@extremenetworks.com
Membership
Privacy & Terms
Terms of Use
Privacy and Cookies Policy
Copyright 2020. All rights reserved.
Site powered by
Higher Logic
.
Site Design by
eConverse Media
.
Powered by Higher Logic