cancel
Showing results for 
Search instead for 
Did you mean: 

Configure Local Accounts Restricted to Console Only

Configure Local Accounts Restricted to Console Only

Hyoun_Kim1
New Contributor II
I found a similar question here, but it was never answered:
https://community.extremenetworks.com/extreme/topics/switch_management_authentication-1h8cmy?topic-r...

I've been tasked to restrict local account access to console-only authentication on all the network equipment in our environment. For the Cisco, Arista, and Brocade equipment, I was able to accomplish this task. However for the Extreme Networks equipment, I cannot figure out how to do this.

For reference, I have an X450e-48p running ExtremeXOS v12.3.2.5.

In the Cisco equipment, I was able to to this:
aaa authentication login default group Mgmt
aaa authentication login ConsoleOnly local
!
line con 0
login authentication ConsoleOnlyIt was similary done w/ the Arista and Brocade equipment. As you can see in the example, the default login uses group Mgmt (which utilizes RADIUS). However, now with that configuration, when we connect via console, we MUST use a local login.

I know the Extreme Networks switch allows you to use a failsafe account and you can restrict that to console only, but it is my understanding that there must also be at least ONE administrator account configured on the switch.

With this, I cannot restrict console access, as the RADIUS accepted logins and the local administrator account is allowed to login via console.

Is this not do-able? Is there no way to lock down the console port access?

4 REPLIES 4

Balaji
Extreme Employee
Hyoun,

Unfortunately with EXOS we don't have that option. you cannot restrict the Console Access to local accounts.

Hyoun_Kim1
New Contributor II
Got it! Thank you!

Patrick_Voss
Extreme Employee
Hi Hyoun,

Unless I am misunderstanding your question I believe you can just "disable telnet" and "disable ssh"

Hi Patrick, Sorry for the confusion.

Right now, whether console or via SSH, I can log in with both local accounts and RADIUS authenticated accounts.

What I am trying to accomplish is the following:
  1. Allow SSH to use RADIUS authentication *only* (no use of local accounts)
  2. Restrict Console ACcess to local accounts *only* (no use of RADIUS authentication).
GTM-P2G8KFN