Can't Access Switches With Loss To LDAP via NAC

  • 0
  • 2
  • Question
  • Updated 9 months ago
  • Answered
Hi,

Currently have all switches in the network doing management login via Radius Via NAC and then onto LDAP to AD.

The problem has arisen, although two AD (LDAP Connections) have been configured, where Full loss to both the LDAP services has occurred. (appreciate that the resiliency here is broken, but...)

The issue is (I believe) that because Radius is still working between the switch and NAC that the switches still think all is good and doesn't default to use a local account.

Do you know if there is anyway to correct that?

Was wondering if there is a Rule or an AAA configuration that could take precedence in that situation to use local authentication - have played but not got anything to work with that line of thought.

Perhaps there is an EXOS configuration that can for example, test the LDAP servers before doing Radius Management Authentication, or equally something NAC could do similiar?

Anyone had the same problem and found a solution?

Many thanks.
Photo of Martin Flammia

Martin Flammia

  • 5,724 Points 5k badge 2x thumb

Posted 9 months ago

  • 0
  • 2
Photo of Schmotter, Ryan

Schmotter, Ryan, Employee

  • 590 Points 500 badge 2x thumb
Martin, If the failsafe account is configured, that is an option to access the switches.
Photo of Martin Flammia

Martin Flammia

  • 5,724 Points 5k badge 2x thumb
Oh right!

The LDAP servers are backup now, but do you know if that would work via SSH and/or when locally connected?
Photo of Schmotter, Ryan

Schmotter, Ryan, Employee

  • 590 Points 500 badge 2x thumb
The Failsafe account needs to be configured, it is not on by default and does not show up in the config. It is meant to be a last-resort account. You can use it in the console and SSH. Check out page 31 of the 21.1 EXOS user guide.
Photo of Martin Flammia

Martin Flammia

  • 5,724 Points 5k badge 2x thumb
Thanks Ryan.

Fortunately I always configure one by default, but there was just one step I missed out when I tested this:

https://gtacknowledge.extremenetworks.com/articles/How_To/How-To-Create-a-Failsafe-Account

I had not permitted access to the failsafe account via SSH!

Cheers for your help