cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

Can't Access Switches With Loss To LDAP via NAC

Can't Access Switches With Loss To LDAP via NAC

Anonymous
Not applicable
Hi,

Currently have all switches in the network doing management login via Radius Via NAC and then onto LDAP to AD.

The problem has arisen, although two AD (LDAP Connections) have been configured, where Full loss to both the LDAP services has occurred. (appreciate that the resiliency here is broken, but...)

The issue is (I believe) that because Radius is still working between the switch and NAC that the switches still think all is good and doesn't default to use a local account.

Do you know if there is anyway to correct that?

Was wondering if there is a Rule or an AAA configuration that could take precedence in that situation to use local authentication - have played but not got anything to work with that line of thought.

Perhaps there is an EXOS configuration that can for example, test the LDAP servers before doing Radius Management Authentication, or equally something NAC could do similiar?

Anyone had the same problem and found a solution?

Many thanks.

4 REPLIES 4

Schmotter__Ryan
Extreme Employee
Martin, If the failsafe account is configured, that is an option to access the switches.

Anonymous
Not applicable
Thanks Ryan.

Fortunately I always configure one by default, but there was just one step I missed out when I tested this:

https://gtacknowledge.extremenetworks.com/articles/How_To/How-To-Create-a-Failsafe-Account

I had not permitted access to the failsafe account via SSH!

Cheers for your help

The Failsafe account needs to be configured, it is not on by default and does not show up in the config. It is meant to be a last-resort account. You can use it in the console and SSH. Check out page 31 of the 21.1 EXOS user guide.

Anonymous
Not applicable
Oh right!

The LDAP servers are backup now, but do you know if that would work via SSH and/or when locally connected?

GTM-P2G8KFN