ExtremeSwitching (EOS)

Expand all | Collapse all

Local Passwords First

  • 1.  Local Passwords First

    Posted 08-08-2014 13:48
    So I started adding the following lines to all of our Enterasys switches.

    set system login rw read-write enable local-only yes
    set system login ro read-only enable local-only yes
    set system login admin super-user enable local-only yes

    If you have RADIUS configured for logging into switches, so admins can use their own logins and be accountable, it can be challenging when things go wrong.

    By default the switches will check with RADIUS first for all logins. So the only way local logins will work is if RADIUS is totally out of the picture. Even then you will have to wait for the RADIUS process to timeout before the switch will check the local password store. If RADIUS is up but is messed up the switch may never check the local store. Then the only way you can get in is to console into the switch and unplug the uplink or perhaps create a policy that will not allow the switch to talk to the RADIUS server at all. In the height of a crisis this may cause you to blow a gasket.

    With this config the switches will always check the local store first for the usernames you specify. You'll be happy you did this if your RADIUS server ever goes sideways.

    John


  • 2.  RE: Local Passwords First

    Posted 10-04-2017 11:02
    Hi There,

    I know this post is really old, but I'm just trying this now. I'm using Radius and I can log in fine, but essentially with this command I should be able to login also with my local accounts but it wont.

    Need a means to configure access, for the exact same example given above that I've just experienced. I use NAC and the LDAP connector went down so the switch thought Radius was fine but I couldn't log in!

    This is actually on a Flow Collector PV-FC, but not that that should make any difference.

    Here is the code I'm running and the account config:

    # Chassis Firmware Revision: 08.42.06.0001
    # system
    set system login martin super-user enable password :729ed2e55344a0d9c99493d08d8f
    0bd61103b4eaf93ab3e922228d8d:1: local-only yes
    set radius enable
    set radius timeout 15
    set radius server 1 x.x.x.x 1812 :3f7f042f478affa92567813d84e6f4dc509bd1455f1e8fabc5fdc12b:
    set radius realm management-access 1
    set radius max-sessions 3000 1
    set radius server 2 x.x.x.x 1812 :067122fafa364e2210024536cdd648ce487a8ab76004f01fdb572cdb:
    set radius realm management-access 2
    set radius max-sessions 3000 2
    set radius algorithm round-robin
    set radius accounting enable
    set radius accounting server 1 x.x.x.x1 1813 :e44f6aa51428eeeee32ca72377ff18853bc4148b1ffa2795b7ab3ae4:
    set radius accounting retries 3 1
    set radius accounting timeout 10 1
    set radius accounting server 2 x.x.x. 1813 :9bb21f6e35aaaab03d260965fcff19a6c445b876f97fd1f7be6c2cdb:
    set radius accounting retries 3 2
    set radius accounting timeout 10 2[/code]Many thanks in advance.