Configure Local Accounts Restricted to Console Only

  • 0
  • 2
  • Question
  • Updated 3 years ago
  • Answered
I found a similar question here, but it was never answered:

I've been tasked to restrict local account access to console-only authentication on all the network equipment in our environment.  For the Cisco, Arista, and Brocade equipment, I was able to accomplish this task.  However for the Extreme Networks equipment, I cannot figure out how to do this.

For reference, I have an X450e-48p running ExtremeXOS v12.3.2.5.  

In the Cisco equipment, I was able to to this:
aaa authentication login default group Mgmt
aaa authentication login ConsoleOnly local
line con 0
  login authentication ConsoleOnly
It was similary done w/ the Arista and Brocade equipment.  As you can see in the example, the default login uses group Mgmt (which utilizes RADIUS).  However, now with that configuration, when we connect via console, we MUST use a local login.

I know the Extreme Networks switch allows you to use a failsafe account and you can restrict that to console only, but it is my understanding that there must also be at least ONE administrator account configured on the switch.

With this, I cannot restrict console access, as the RADIUS accepted logins and the local administrator account is allowed to login via console.

Is this not do-able?  Is there no way to lock down the console port access?
Photo of Hyoun Kim

Hyoun Kim

  • 100 Points 100 badge 2x thumb
  • frustrated

Posted 3 years ago

  • 0
  • 2
Photo of Patrick Voss

Patrick Voss, Alum

  • 11,744 Points 10k badge 2x thumb
Hi Hyoun,

Unless I am misunderstanding your question I believe you can just "disable telnet" and "disable ssh"
Photo of Hyoun Kim

Hyoun Kim

  • 100 Points 100 badge 2x thumb
Hi Patrick, Sorry for the confusion.

Right now, whether console or via SSH, I can log in with both local accounts and RADIUS authenticated accounts.

What I am trying to accomplish is the following:
  1. Allow SSH to use RADIUS authentication *only* (no use of local accounts)
  2. Restrict Console ACcess to local accounts *only* (no use of RADIUS authentication).
Photo of Balaji

Balaji, Employee

  • 776 Points 500 badge 2x thumb

Unfortunately with EXOS we don't have that option. you cannot restrict the Console Access to local accounts.
Photo of Hyoun Kim

Hyoun Kim

  • 100 Points 100 badge 2x thumb
Got it!  Thank you!