I’m testing enabling active directory login using windows NPS servers. The thing is although this appears to be working, the switch no longer accepts the “admin” password. The concern is if the NPS servers were down for some reason (like a network issue) and you want to troubleshoot that network issue so you go to the network (switch) and then you woudn’t have a backdoor way in from another location.
Here is the config added to the switch
configure radius mgmt-access primary server 10.1.1.1 1645 client-ip 10.1.0.111 vr VR-Default
configure radius mgmt-access primary shared-secret Secrethere
configure radius mgmt-access secondary server 10.1.1.2 1645 client-ip 10.1.0.111 vr VR-Default
configure radius mgmt-access secondary shared-secret Secrethere
enable radius mgmt-access
Also notice regular AD users can log in, but thankfully they do not have any admin rights of the switch.
Best answer by B-rad
No worries. Glad we can help. If you want to change the RADIUS timeout period the command is
# configure radius mgmt-access timeout <seconds>
RADIUS server timeout seconds. Range is 1 to 240.
The failsafe account is very much intended as a “in case of fire, break glass” type of scenario, as you said, the session isn’t logged and will always let the administrator right in.
Its definitely a viable option, though.