Solved

Create local backdoor switch admin account in case NPS / Radius is down

  • 23 September 2020
  • 6 replies
  • 63 views

Userlevel 1

Hello,

I’m testing enabling active directory login using windows NPS servers.  The thing is although this appears to be working, the switch no longer accepts the “admin” password.  The concern is if the NPS servers were down for some reason (like a network issue) and you want to troubleshoot that network issue so you go to the network (switch) and then you woudn’t have a backdoor way in from another location.

 

Here is the config added to the switch

configure radius mgmt-access primary server 10.1.1.1 1645 client-ip 10.1.0.111 vr VR-Default
configure radius mgmt-access primary shared-secret Secrethere

configure radius mgmt-access secondary server 10.1.1.2 1645 client-ip 10.1.0.111 vr VR-Default
configure radius mgmt-access secondary shared-secret Secrethere
 

enable radius mgmt-access

 

Followed these two articles:
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-RADIUS-authentication-for-switch-management-access-in-EXOS

 

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-radius-server-to-provide-admin-level-access-privileges-to-users

 

Also notice regular AD users can log in, but thankfully they do not have any admin rights of the switch.

 

 

icon

Best answer by B-rad 23 September 2020, 22:16

Hi Keith,

No worries. Glad we can help. If you want to change the RADIUS timeout period the command is

# configure radius mgmt-access timeout <seconds>
RADIUS server timeout seconds. Range is 1 to 240.

The failsafe account is very much intended as a “in case of fire, break glass” type of scenario, as you said, the session isn’t logged and will always let the administrator right in. 

Its definitely a viable option, though.

Thanks

Brad

View original

6 replies

Userlevel 6

Hi Keith,

If the RADIUS servers are unavailable, the switch should default to the on-switch database. If you are still nervous, you can configure a failsafe account on the switches that can be used that don’t get authenticated against RADIUS.

Brad

Userlevel 6

The switch is not accepting the “admin” login anymore, because its trying to authenticate that “admin” user against RADIUS, and if one isn’t present in RADIUS, then the RADIUS server is sending an access-reject.

Userlevel 1

Ah i see now.  I checked the NPS logs, your right, its trying to authenticate the user admin to active directory and fails.

 

I temp disabled that radius client in my two NPS servers and tried logging in as admin again.  After a very long delay, it did log in.  Any way to lower the delay?  I imagine its because the output of the command show radius indicates for each NPS server its 3 retries and 15 is the timeout *both asterisk by the way.

 

Maybe a failsafe account is a better way to go.

The idea is to use a failsafe type of account with a very long password that is just not econmical to use, that way admins who go into these switches don’t spend time looking it up, instead they use their active directory admin account credentials, therefore access is logged and also behind our AD password policy.

 

Thanks for your quick response.  Your right… just a little tweaking to do and a full understanding before I roll this out from this test switch to our other live switch stacks.

 

Userlevel 6

Hi Keith,

No worries. Glad we can help. If you want to change the RADIUS timeout period the command is

# configure radius mgmt-access timeout <seconds>
RADIUS server timeout seconds. Range is 1 to 240.

The failsafe account is very much intended as a “in case of fire, break glass” type of scenario, as you said, the session isn’t logged and will always let the administrator right in. 

Its definitely a viable option, though.

Thanks

Brad

Userlevel 1

Brad, many thanks!  I think I’ll just lower the radius timeout a little bit.  That way if the network IS down and we’re on site looking at something in the switch, it won’t need to wait as long to accept the admin credential.

It’s actually kind of a nice setup.  I think I’m ready to deploy to more switches.  In an IT audit it was recommended to use a radius type of login to our extreme and Cisco networking environment.  Mostly for user management so you can look at logs and know who logged in and made a change, but secondly it follows our AD strong password policy.

Looks like this one will be a success!

Userlevel 6

One thing to note, is that there is a process for GTAC to be able to be let into the switch as well, so if you’re still locked out and in a dire situation, give us a ring and we can issue a one time password that will allow us to get in and see if we can help fix things.

Brad

Reply