Header Only - DO NOT REMOVE - Extreme Networks

Can't Access Switches With Loss To LDAP via NAC


Userlevel 5
Hi,

Currently have all switches in the network doing management login via Radius Via NAC and then onto LDAP to AD.

The problem has arisen, although two AD (LDAP Connections) have been configured, where Full loss to both the LDAP services has occurred. (appreciate that the resiliency here is broken, but...)

The issue is (I believe) that because Radius is still working between the switch and NAC that the switches still think all is good and doesn't default to use a local account.

Do you know if there is anyway to correct that?

Was wondering if there is a Rule or an AAA configuration that could take precedence in that situation to use local authentication - have played but not got anything to work with that line of thought.

Perhaps there is an EXOS configuration that can for example, test the LDAP servers before doing Radius Management Authentication, or equally something NAC could do similiar?

Anyone had the same problem and found a solution?

Many thanks.

4 replies

Userlevel 2
Martin, If the failsafe account is configured, that is an option to access the switches.
Userlevel 5
Schmotter, Ryan wrote:

Martin, If the failsafe account is configured, that is an option to access the switches.

Oh right!

The LDAP servers are backup now, but do you know if that would work via SSH and/or when locally connected?
Userlevel 2
Schmotter, Ryan wrote:

Martin, If the failsafe account is configured, that is an option to access the switches.

The Failsafe account needs to be configured, it is not on by default and does not show up in the config. It is meant to be a last-resort account. You can use it in the console and SSH. Check out page 31 of the 21.1 EXOS user guide.
Userlevel 5
Schmotter, Ryan wrote:

Martin, If the failsafe account is configured, that is an option to access the switches.

Thanks Ryan.

Fortunately I always configure one by default, but there was just one step I missed out when I tested this:

https://gtacknowledge.extremenetworks.com/articles/How_To/How-To-Create-a-Failsafe-Account

I had not permitted access to the failsafe account via SSH!

Cheers for your help

Reply