This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

XOS - Using RADIUS and local users possible?

XOS - Using RADIUS and local users possible?

Andrew_Schmitt
New Contributor II

‎03-27-2015 01:40 PM

We're finally implementing RADIUS for all of our XOS gear in conjunction with a move to NetSight. I've noticed that once RADIUS is configured on a switch authentications that fail via RADIUS don't attempt to use the local database. I know that it will use the local database if RADIUS can't be contacted, but is there a way for XOS to check the local DB as well when RADIUS is working? I wasn't sure what the best approach would be for adding switches into NetSight, but originally we thought it would be a local account on the switch. Those aren't working now so configuration backups started failing which led me to this question. Thanks for help in advance.
0 Kudos
4 REPLIES 4

Bill_Stritzinge
Extreme Employee

‎03-27-2015 09:32 PM

Andrew,

In addition to the above responses, there is a new feature that is forthcoming that will allow you to disable the local users all together if radius or tacacs is enabled for remote admin authentication. As Parthian mentioned in 15.3.1.4-patch1-7 and earlier even if you have TACACS or RADIUS configured they WILL fall back to local users. This behavior has changed with any later code releases.

Bill
0 Kudos

Andrew_Schmitt
New Contributor II

‎03-27-2015 08:29 PM

Thanks guys. Works for me.
0 Kudos

dflouret
Extreme Employee

‎03-27-2015 04:08 PM

Andrew,

As stated in the documentation:

"A user rejected by the Radius/TACACS server can not be authenticated via local database."

This behavior can't be changed.

0 Kudos

PARTHIBAN_CHINN
Contributor

‎03-27-2015 02:48 PM

Hello it is actually not the right way for client to check radius and local database when radius server is reachable.

Exos implementation is when radius server is not reachable it will fallback to local database.
But when radius authentication fails it will not look into the local database.

If you really need this to work in your way.I remember this issue very well it must be in earlier
15.3 and 15.2 versions that it works in the way you like.

The way you wanted RADIUS To work is as below:

when radius server is not reachable it will fallback to local database.
When radius is reachable it will allow access based on radius database.

Also when radius authentication fails it will look into the local database.And if username and password is valid as per local database .It allows access for the client.

0 Kudos
GTM-P2G8KFN