ExtremeSwitching (EXOS)

Expand all | Collapse all

Extreme using radius JUST to authenticate, not for all command verification.

  • 1.  Extreme using radius JUST to authenticate, not for all command verification.

    Posted 07-31-2017 19:23
    I have a ExtremeXOS version 16.2.1.6 configured. My intention ware just authenticate my users, but I realized when a user pass any command the Extreme checks the permition. Is this normal? It is possible change this behavior? If yes how?
    Best regards


  • 2.  RE: Extreme using radius JUST to authenticate, not for all command verification.



  • 3.  RE: Extreme using radius JUST to authenticate, not for all command verification.

    Posted 08-01-2017 01:37
    Hello Ram, thanks for hoje replay. I think that is my problem. I want just authoreze the login. After I dont want that switch check the RADIUS server all the time, when a user pass any command. If has any ccomunication problem between switch and RADIUS I loose my privilege. Is It that? Fan I chance It for not do the authenticat command alô the times? Best regards


  • 4.  RE: Extreme using radius JUST to authenticate, not for all command verification.

    Posted 08-01-2017 02:29
    Could you please explain us in detail how you are checking in RADIUS and switch that authorization is happening for any command executed? Also, please share the configuration "show configuration aaa".


  • 5.  RE: Extreme using radius JUST to authenticate, not for all command verification.

    Posted 08-01-2017 05:59
    Please take a look into this post which incl a link to screenshots of a working setup...

    https://community.extremenetworks.com/extreme/topics/microsoft-nps-server-vsa-configuration-for-extr...



  • 6.  RE: Extreme using radius JUST to authenticate, not for all command verification.

    Posted 08-01-2017 10:59
    Hell all.

    Good morning Ram, here my configuration:

    configure radius mgmt-access primary shared-secret PASSWORD
    configure radius mgmt-access primary server IP_SERVER 1812 client-ip IP_CLIENT vr VR-Mgmt
    configure radius mgmt-access secondary shared-secret PASSWORD
    configure radius mgmt-access secondary server IP_SERVER 1812 client-ip IP_CLIENT vr VR-Mgmt
    enable radius mgmt-access

    We noticed that all command which user pass ware by the switchs. Like, if a user passed "show configuration" the switch send a new check for this command. The problem is if we have any problem between switch and RADIUS server the user will do nothing any more.

    We realized that beravior running tcpdum commands on RADIUS server. So, with that we could see this.

    It is possible torn off this, just let the switch check login and nothing more?

    Best regards.


  • 7.  RE: Extreme using radius JUST to authenticate, not for all command verification.

    Posted 08-02-2017 03:29
    Could you please provide me the entire configuration of "show configuration aaa", "show switch" and "show version"? If it is an issue we need to test this in local lab. Hence, you could also open a GTAC case with "show tech" output with detailed explanation about your issue.


  • 8.  RE: Extreme using radius JUST to authenticate, not for all command verification.

    Posted 08-03-2017 11:57
    Hello Ram.

    Sorry for my late. Here the information that you asked:

    show configuration aaa:
    configure radius mgmt-access primary server RADIUS_IP 1812 client-ip CLIENT_IP vr VR-Mgmt
    configure radius mgmt-access primary shared-secret encrypted PASSWORD
    configure radius mgmt-access secondary server RADIUS_IP 1812 client-ip CLIENT_IP vr VR-Mgmt
    configure radius mgmt-access secondary shared-secret encrypted PASSWORD
    enable radius mgmt-access

    show switch:

    SysName: ampere
    SysLocation:
    SysContact:
    System MAC:
    System Type: X670-48x

    SysHealth check: Enabled (Normal)
    Recovery Mode: All
    System Watchdog: Enabled

    Current Time: Thu Aug 3 10:55:20 2017
    Timezone: [Auto DST Disabled] GMT Offset: -180 minutes, name is BRT.
    Boot Time: Sat Jul 22 01:21:01 2017
    Boot Count: 23
    Next Reboot: None scheduled
    System UpTime: 12 days 9 hours 34 minutes 18 seconds

    Image Selected: secondary
    Image Booted: secondary
    Primary ver: 16.1.2.14
    Secondary ver: 16.2.1.6

    Config Selected: primary.cfg
    Config Booted: primary.cfg

    primary.cfg Created by ExtremeXOS version 16.2.1.6
    1083719 bytes saved on Mon Jul 31 20:11:38 2017

    show version:
    Switch : 800400-00-04 1151G-00686 Rev 4.0 BootROM: 2.0.1.5 IMG: 16.2.1.6
    PSU-1 : Internal PSU-1 800282-00-04 1201K-82195
    PSU-2 : Internal PSU-2 800282-00-04 1201K-82194

    Image : ExtremeXOS version 16.2.1.6 by release-manager
    on Sat Aug 6 19:06:56 EDT 2016
    BootROM : 2.0.1.5
    Diagnostics : 6.4