Extreme using radius JUST to authenticate, not for all command verification.

  • 0
  • 1
  • Question
  • Updated 10 months ago
  • Answered
I have a ExtremeXOS version 16.2.1.6 configured. My intention ware just authenticate my users, but I realized when a user pass any command the Extreme checks the permition. Is this normal? It is possible change this behavior? If yes how?
Best regards
Photo of Kalil De A. Carvalho

Posted 11 months ago

  • 0
  • 1
Photo of Ram

Ram, Employee

  • 1,450 Points 1k badge 2x thumb
Hello Ram, thanks for hoje replay.
I think that is my problem. I want just authoreze the login. After I dont want that switch check the RADIUS server all the time, when a user pass any command. If has any ccomunication problem between switch and RADIUS I loose my privilege. Is It that? Fan I chance It for not do the authenticat command alô the times?
Best regards
Photo of Ram

Ram, Employee

  • 1,450 Points 1k badge 2x thumb
Could you please explain us in detail how you are checking in RADIUS and switch that authorization is happening for any command executed? Also, please share the configuration "show configuration aaa".
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 44,984 Points 20k badge 2x thumb
Please take a look into this post which incl a link to screenshots of a working setup...

https://community.extremenetworks.com/extreme/topics/microsoft-nps-server-vsa-configuration-for-extr...
Hell all.

Good morning Ram, here my configuration:

configure radius mgmt-access primary shared-secret PASSWORD
configure radius mgmt-access primary server IP_SERVER 1812 client-ip IP_CLIENT vr VR-Mgmt
configure radius mgmt-access secondary shared-secret PASSWORD
configure radius mgmt-access secondary server IP_SERVER 1812 client-ip IP_CLIENT vr VR-Mgmt
enable radius mgmt-access

We noticed that all command which user pass ware by the switchs. Like, if a user passed "show configuration" the switch send a new check for this command. The problem is if we have any problem between switch and RADIUS server the user will do nothing any more. 

We realized that beravior running tcpdum commands on RADIUS server. So, with that we could see this.

It is possible torn off this, just let the switch check login and nothing more?

Best regards.
(Edited)
Photo of Ram

Ram, Employee

  • 1,450 Points 1k badge 2x thumb
Could you please provide me the entire configuration of "show configuration aaa", "show switch" and "show version"? If it is an issue we need to test this in local lab. Hence, you could also open a GTAC case with "show tech" output with detailed explanation about your issue.
Hello Ram.

Sorry for my late. Here the information that you asked:

show configuration aaa:
configure radius mgmt-access primary server RADIUS_IP 1812 client-ip CLIENT_IP vr VR-Mgmt
configure radius mgmt-access primary shared-secret encrypted PASSWORD
configure radius mgmt-access secondary server RADIUS_IP 1812 client-ip CLIENT_IP vr VR-Mgmt
configure radius mgmt-access secondary shared-secret encrypted PASSWORD
enable radius mgmt-access


show switch:

SysName:          ampere
SysLocation:      
SysContact:       
System MAC:       
System Type:      X670-48x

SysHealth check:  Enabled (Normal)
Recovery Mode:    All
System Watchdog:  Enabled

Current Time:     Thu Aug  3 10:55:20 2017
Timezone:         [Auto DST Disabled] GMT Offset: -180 minutes, name is BRT.
Boot Time:        Sat Jul 22 01:21:01 2017
Boot Count:       23
Next Reboot:      None scheduled
System UpTime:    12 days 9 hours 34 minutes 18 seconds 


Image Selected:   secondary               
Image Booted:     secondary               
Primary ver:      16.1.2.14               
Secondary ver:    16.2.1.6    

Config Selected:  primary.cfg                                          
Config Booted:    primary.cfg                                          

primary.cfg       Created by ExtremeXOS version 16.2.1.6
                  1083719 bytes saved on Mon Jul 31 20:11:38 2017

show version:
Switch      : 800400-00-04 1151G-00686 Rev 4.0 BootROM: 2.0.1.5    IMG: 16.2.1.6  
PSU-1       : Internal PSU-1 800282-00-04 1201K-82195
PSU-2       : Internal PSU-2 800282-00-04 1201K-82194

Image   : ExtremeXOS version 16.2.1.6 by release-manager
          on Sat Aug 6 19:06:56 EDT 2016
BootROM : 2.0.1.5
Diagnostics : 6.4