Header Only - DO NOT REMOVE - Extreme Networks

XOS - Using RADIUS and local users possible?


We're finally implementing RADIUS for all of our XOS gear in conjunction with a move to NetSight. I've noticed that once RADIUS is configured on a switch authentications that fail via RADIUS don't attempt to use the local database. I know that it will use the local database if RADIUS can't be contacted, but is there a way for XOS to check the local DB as well when RADIUS is working? I wasn't sure what the best approach would be for adding switches into NetSight, but originally we thought it would be a local account on the switch. Those aren't working now so configuration backups started failing which led me to this question. Thanks for help in advance.

4 replies

Userlevel 4
Hello it is actually not the right way for client to check radius and local database when radius server is reachable.

Exos implementation is when radius server is not reachable it will fallback to local database.
But when radius authentication fails it will not look into the local database.

If you really need this to work in your way.I remember this issue very well it must be in earlier
15.3 and 15.2 versions that it works in the way you like.

The way you wanted RADIUS To work is as below:

when radius server is not reachable it will fallback to local database.
When radius is reachable it will allow access based on radius database.

Also when radius authentication fails it will look into the local database.And if username and password is valid as per local database .It allows access for the client.
Userlevel 6
Andrew,

As stated in the documentation:

"A user rejected by the Radius/TACACS server can not be authenticated via local database."

This behavior can't be changed.
Thanks guys. Works for me.
Userlevel 5
Andrew,

In addition to the above responses, there is a new feature that is forthcoming that will allow you to disable the local users all together if radius or tacacs is enabled for remote admin authentication. As Parthian mentioned in 15.3.1.4-patch1-7 and earlier even if you have TACACS or RADIUS configured they WILL fall back to local users. This behavior has changed with any later code releases.

Bill

Reply