Local Passwords First

  • 4
  • Idea
  • Updated 1 year ago
So I started adding the following lines to all of our Enterasys switches.

set system login rw read-write enable local-only yes
set system login ro read-only enable local-only yes
set system login admin super-user enable local-only yes

If you have RADIUS configured for logging into switches, so admins can use their own logins and be accountable, it can be challenging when things go wrong.  

By default the switches will check with RADIUS first for all logins.  So the only way local logins will work is if RADIUS is totally out of the picture.  Even then you will have to wait for the RADIUS process to timeout before the switch will check the local password store.  If RADIUS is up but is messed up the switch may never check the local store.  Then the only way you can get in is to console into the switch and unplug the uplink or perhaps create a policy that will not allow the switch to talk to the RADIUS server at all.  In the height of a crisis this may cause you to blow a gasket.

With this config the switches will always check the local store first for the usernames you specify.  You'll be happy you did this if your RADIUS server ever goes sideways.

John
Photo of John Kaftan

John Kaftan

  • 810 Points 500 badge 2x thumb

Posted 4 years ago

  • 4
Photo of Martin Flammia

Martin Flammia

  • 6,326 Points 5k badge 2x thumb
Hi There,

I know this post is really old, but I'm just trying this now. I'm using Radius and I can log in fine, but essentially with this command I should be able to login also with my local accounts but it wont.

Need a means to configure access, for the exact same example given above that I've just experienced. I use NAC and the LDAP connector went down so the switch thought Radius was fine but I couldn't log in!

This is actually on a Flow Collector PV-FC, but not that that should make any difference.

Here is the code I'm running and the account config:

# Chassis Firmware Revision:  08.42.06.0001
# system
set system login martin super-user enable password :729ed2e55344a0d9c99493d08d8f
0bd61103b4eaf93ab3e922228d8d:1: local-only yes
set radius enable
set radius timeout 15
set radius server 1 x.x.x.x 1812 :3f7f042f478affa92567813d84e6f4dc509bd1455f1e8fabc5fdc12b:
set radius realm management-access 1
set radius max-sessions 3000 1
set radius server 2 x.x.x.x 1812 :067122fafa364e2210024536cdd648ce487a8ab76004f01fdb572cdb:
set radius realm management-access 2
set radius max-sessions 3000 2
set radius algorithm round-robin
set radius accounting enable
set radius accounting server 1 x.x.x.x1 1813 :e44f6aa51428eeeee32ca72377ff18853bc4148b1ffa2795b7ab3ae4:
set radius accounting retries 3 1
set radius accounting timeout 10 1
set radius accounting server 2 x.x.x. 1813 :9bb21f6e35aaaab03d260965fcff19a6c445b876f97fd1f7be6c2cdb:
set radius accounting retries 3 2
set radius accounting timeout 10 2

Many thanks in advance.

(Edited)