ExtremeSwitching (VSP)

Marlon Scheid posted 04-27-2022 03:06

Hi Steven,

the VOSS Switches expect the radius return attribute "Passport-Access-Priority" with a value of 6 if its an administrative user.

eg:
Passport-Access-Priority=6

Solution: VOSS/ERS : AAA Radius Server Attributes for ERS and VOSS switches | Extreme Portal (force.com)

regards
Marlon

Todd Hancock posted 04-28-2022 07:37

This has always worked for me -

no radius enable
radius server host <primary server> key <shared secret> used-by cli priority 2
radius server host <primary server> key <shared secret> used-by web priority 2
radius server host <secondary server> key <shared secret> used-by cli priority 3
radius server host <secondary server> key <shared secret> used-by web priority 3
radius enable
radius accounting enable

steven.rous posted 04-29-2022 10:57

Thanks Marlon and Todd.  I was effectively using the commands provided by Todd but assuming the parameters used for ERS switch authentication would be the same for VSP/VOSS switches as they are for existing ERS/BOSS switches.  The link that Marlon provided makes me think this may not be the case.  Unfortunately I do not have visibility of the NPS servers used for both Radius and TACACS.   I've tried using TACACS but that's not working either. 

Despite TACACS/RADIUS not working it's not failing back and allowing me to logon with a locally configured username/password that once I disable either I can then once again access the switch remotely with.
  
I was able to view the radius-server statistics and when I try and logon using my network username/password I know to be correct and works when accessing other ERS switches -  I can see equal Access Requests, Accepts and Rejects???  Each time I attempt to logon they all increment equally which I think points to the issue being attributes not being configured correctly on the NPS servers as indicated by Marlon.  It also seems to allude to the fact that we are able to communicate with the NPS server otherwise presumably requests would be seen but without accepts and rejects and maybe this is why I cannot logon using the locally configured username/password which is different.  

On a similar note I wonder whether I'll be able to access the switch locally via the Console Port using a locally configured port?  I'm not sure I will which is how we currently configure our ERS switches and that is because we've had issues in the past whereby we've not been able to logon locally using Radius/TACACS and for whatever reason it's not failed back to allowing a locally configure username/password access!  

When configuring TACACS I also notice the server shows as NotConn which I assume means not connected and this to be normal?  Presumably there would only be a connection if a user is trying to access/logon to the switch?  

Radius Server(UsedBy) : x.x.x.x(cli)
--------------------------------------------------------
Access Requests : 1
Access Accepts : 1
Access Rejects : 1

steven.rous posted 05-11-2022 11:41

Just to advise we've given up with Radius as we managed to get TACACS working which apparently comes with more accounting functionality. 
Ultimately for now we simply wanted to use the customer NPS server to manage remote access to the switches.  The next challenge will be local access as I'm not seeing a way to configure local access to the serial/com port on these switches to use a locally configured password as we could on the  BOSS switches. ​

Miguel-Angel RODRIGUEZ-GARCIA posted 05-12-2022 05:25

Hi Steven,

For what concerns the local account, I created an account locally and in the Extreme Control with the same password.
With that account, we can log in with radius and locally when the radius fails.
It's a workaround.
Mig