ExtremeSwitching (VSP)

 View Only

 how to configure radius authentication for switch management access on voss

steven.rous's profile image
steven.rous posted 04-26-2022 10:19
Hi.  We are struggling to configure radius authentication on our new VSP Fabric switches.   We have successfully managed to get this to work on ERS switches but not VSP/Fabric Switches.   FYI.  The switch in question is a 5520 running 8.5.1 software.   
Frustratingly there are it seems guides available for BOSS (ERS) and EXOS but not VOSS!!!
We have configured a single management CLIP address on the switches and we have remote connectivity to all 3 switches using SSH. 
We simply want to configure access to the switches to use radius as it does for the ERS switches which simply uses a key and that's it.  
If the username exists and the password is correct I would expect access to be granted, we are not using attributes or trying to change CLI access via radius etc.  
We are not using XIQ or XIQ-SE to manage the switches btw!
Hopefully a guide does exist or somebody who has managed to get this to work can provide one.   Thanks in advance.
Marlon Scheid's profile image
Marlon Scheid
Hi Steven,

the VOSS Switches expect the radius return attribute "Passport-Access-Priority" with a value of 6 if its an administrative user.

eg:
Passport-Access-Priority=6

Solution: VOSS/ERS : AAA Radius Server Attributes for ERS and VOSS switches | Extreme Portal (force.com)

regards
Marlon
Todd Hancock's profile image
Todd Hancock

This has always worked for me -

no radius enable
radius server host <primary server> key <shared secret> used-by cli priority 2
radius server host <primary server> key <shared secret> used-by web priority 2
radius server host <secondary server> key <shared secret> used-by cli priority 3
radius server host <secondary server> key <shared secret> used-by web priority 3
radius enable
radius accounting enable

steven.rous's profile image
steven.rous
Thanks Marlon and Todd.  I was effectively using the commands provided by Todd but assuming the parameters used for ERS switch authentication would be the same for VSP/VOSS switches as they are for existing ERS/BOSS switches.  The link that Marlon provided makes me think this may not be the case.  Unfortunately I do not have visibility of the NPS servers used for both Radius and TACACS.   I've tried using TACACS but that's not working either. 

Despite TACACS/RADIUS not working it's not failing back and allowing me to logon with a locally configured username/password that once I disable either I can then once again access the switch remotely with.
  
I was able to view the radius-server statistics and when I try and logon using my network username/password I know to be correct and works when accessing other ERS switches -  I can see equal Access Requests, Accepts and Rejects???  Each time I attempt to logon they all increment equally which I think points to the issue being attributes not being configured correctly on the NPS servers as indicated by Marlon.  It also seems to allude to the fact that we are able to communicate with the NPS server otherwise presumably requests would be seen but without accepts and rejects and maybe this is why I cannot logon using the locally configured username/password which is different.  

On a similar note I wonder whether I'll be able to access the switch locally via the Console Port using a locally configured port?  I'm not sure I will which is how we currently configure our ERS switches and that is because we've had issues in the past whereby we've not been able to logon locally using Radius/TACACS and for whatever reason it's not failed back to allowing a locally configure username/password access!  

When configuring TACACS I also notice the server shows as NotConn which I assume means not connected and this to be normal?  Presumably there would only be a connection if a user is trying to access/logon to the switch?  

Radius Server(UsedBy) : x.x.x.x(cli)
--------------------------------------------------------
Access Requests : 1
Access Accepts : 1
Access Rejects : 1

steven.rous's profile image
steven.rous
Just to advise we've given up with Radius as we managed to get TACACS working which apparently comes with more accounting functionality. 
Ultimately for now we simply wanted to use the customer NPS server to manage remote access to the switches.  The next challenge will be local access as I'm not seeing a way to configure local access to the serial/com port on these switches to use a locally configured password as we could on the  BOSS switches. ​
Miguel-Angel RODRIGUEZ-GARCIA's profile image
Miguel-Angel RODRIGUEZ-GARCIA
Hi Steven,

For what concerns the local account, I created an account locally and in the Extreme Control with the same password.
With that account, we can log in with radius and locally when the radius fails.
It's a workaround.
Mig