ExtremeCloud IQ- Site Engine & Extreme Management Center

 View Only

 This user does not have permissions for this command.

Giuseppe Montanarella's profile image
Giuseppe Montanarella posted 12-16-2021 10:26
Good Afternoon,

X440 connected to XMC/NAC used to autheticate the user for management login.

IF I try to connect to the switch with ssh the prompt is this :

X440_UP > and for any command I do I receive this error:

"This user does not have permissions for this command."

The problem is the connection to radius ( XMC/NAC ) but I do not know where ( I only upgraded to the last release XMC and NAC )

Thanks
Giuseppe
Zdeněk Pala's profile image
Zdeněk Pala
check what radius attributes are sent from NAC to EXOS. For Admin access the EXOS you should receive Service Type = 6



here is my NAC rule:

Administrator NAC Profile uses Enterprise User (Administrator) policy

Policy Mapping for Enterprise User (Administrator)

The switch:


Good luck
Giuseppe Montanarella's profile image
Giuseppe Montanarella
Thanks for your reply.
this is my configuration and it does not work :-(

Giuseppe

Zdeněk Pala's profile image
Zdeněk Pala
hi Giuseppe.

I can not read anything from your picture.
Giuseppe Montanarella's profile image
Giuseppe Montanarella
Here my configuration.

Giuseppe
Attachments  View in library
Image 1.JPG 46 KB
Image 2.JPG 34 KB
Zdeněk Pala's profile image
Zdeněk Pala
The AAA rule looks ok
The policy mapping looks ok.

what about the rest of the config? I shared NAC rules, NAC profile, Switch config
Giuseppe Montanarella's profile image
Giuseppe Montanarella
XMC Configuration and Switch configuration

Giuseppe
Attachments  View in library
Zdeněk Pala's profile image
Zdeněk Pala
still missing the NAC rule that should match.
Can you share PCAP of the radius access accept?
Giuseppe Montanarella's profile image
Giuseppe Montanarella
Hi, on NAC and XMC I have only tcpdump, is possible to install tshark ?

Giuseppe
Attachments  View in library
Zdeněk Pala's profile image
Zdeněk Pala

you can execute this command:
tcpdump -ni eth0 port 1812 -w /tmp/mypcap.pcap

then you can download the pcap file.
other option is to use GUI of the NAC engine and start the packet capture there
---
regarding your screenshots:

- is your user part of the user group condition
- is your switch part of the location condition

Giuseppe Montanarella's profile image
Giuseppe Montanarella
Thanks for your help,
this evening I did a restore from a previous version and everything works apart that the rule that permit a login is not a rule "management login " but is the Default-Catch-rule.
I will check the next day

Thanks
Giuseppe
JASU's profile image
JASU
I have the same issue but I am authenticating my users through Freeradius in linux. Below is attribute configuration.
How would I allow this user to run " Show configuration" for sake of taking regular backup ?

USER1 Cleartext-password := password
Filter-id = "Enterasys:version=1:mgmt=ro"
Zdeněk Pala's profile image
Zdeněk Pala
The MGMT access level to different OS depends on the radius attributes. The picture in my first response shows what attributes and what values should be used. Different response is expected by different OS.
JASU's profile image
JASU
Thanks for your answer. However, I am not expert in this area of attribute interpretation into acceptable script by radius server. So can you guide me how the script should look like in the Users file for read-only user, and read-write user ?
I have ExtremeXOS version 16.2.2.4 & ExtremeXOS version 15.3.1.4 switches. 

By the way, when I used below syntax with 16.2 in the Users file, it was assigning the right privilege, ro/rw/su. But with 15.3, it always authorize user with read-only regardless of the keyword I use.


USER1 Cleartext-password := password
Filter-id = "Enterasys:version=1:mgmt=ro"
Zdeněk Pala's profile image
Zdeněk Pala
You are correct. this feature was enhanced in 16.x code and EXOS now supports both the original EXOS and EOS options.

This should give you Admin:
USER1 Cleartext-password := password
Service-Type = Administrative

This should give you Read Only:
USER2 Cleartext-password := password
Service-Type = Login



JASU's profile image
JASU
Is there a way to grant the user with read-only privilege to run "Show configuration" ? Or any equivalent command to show complete configuration ?
Zdeněk Pala's profile image
Zdeněk Pala
The per-command authorization can be used for this purpose. The EXOS needs to be configured to request permission for each command. the Radius needs to approve/reject each command.
JASU's profile image
JASU
Would you share example to show steps from both switch & radius server ?
Zdeněk Pala's profile image
Zdeněk Pala
Sorry. It is more complex. Here is the documentation for EXOS 16.1 = https://documentation.extremenetworks.com/exos_16.1/downloads/GUID-D14940D6-7F4E-4084-A9BD-069AA223D632.pdf
What you need is the Security section, pages 951+

In general you need to authenticate the user through Radius with Extreme-CLI-Authorization = enabled.
then you will receive each command through radius request and Access-accept means the command can be executed. Access-reject means the command execution is rejected.