XOS - Using RADIUS and local users possible?

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
We're finally implementing RADIUS for all of our XOS gear in conjunction with a move to NetSight. I've noticed that once RADIUS is configured on a switch authentications that fail via RADIUS don't attempt to use the local database. I know that it will use the local database if RADIUS can't be contacted, but is there a way for XOS to check the local DB as well when RADIUS is working?  I wasn't sure what the best approach would be for adding switches into NetSight, but originally we thought it would be a local account on the switch. Those aren't working now so configuration backups started failing which led me to this question. Thanks for help in advance.
Photo of Andrew Schmitt

Andrew Schmitt

  • 310 Points 250 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of PARTHIBAN CHINNAYA

PARTHIBAN CHINNAYA, Alum

  • 4,382 Points 4k badge 2x thumb
Hello it is actually not the right way for client to check radius and local database when radius server is reachable.

Exos implementation is when radius server is not reachable it will fallback to local database.
But when radius authentication fails it will not look into the local database.


If you really need this to work in your way.I remember this issue very well it must be in earlier 
15.3 and 15.2 versions that it works in the way you like.

The way you wanted RADIUS To work is as below:

when radius server is not reachable it will fallback to local database.
When radius is reachable it will allow access based on radius database.

Also when radius authentication fails it will  look into the local database.And if username and password is valid as per local database .It allows access for the client.
Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
Andrew,

As stated in the documentation:

"A user rejected by the Radius/TACACS server can not be authenticated via local database."

This behavior can't be changed.
Photo of Andrew Schmitt

Andrew Schmitt

  • 310 Points 250 badge 2x thumb
Thanks guys. Works for me.
Photo of Bill Stritzinger

Bill Stritzinger, Alum

  • 6,036 Points 5k badge 2x thumb
Andrew,
  
In addition to the above responses, there is a new feature that is forthcoming that will allow you to disable the local users all together if radius or tacacs is enabled for remote admin authentication. As Parthian mentioned in 15.3.1.4-patch1-7 and earlier even if you have TACACS or RADIUS configured they WILL fall back to local users. This behavior has changed with any later code releases. 

Bill