topic Re: This user does not have permissions for this command. in ExtremeCloud IQ- Site Engine Management Center

This user does not have permissions for this command.

Giuseppe_Montan — Thu, 16 Dec 2021 18:23:58 GMT

Good Afternoon,

X440 connected to XMC/NAC used to autheticate the user for management login.

IF I try to connect to the switch with ssh the prompt is this :

X440_UP > and for any command I do I receive this error:

"This user does not have permissions for this command."

The problem is the connection to radius ( XMC/NAC ) but I do not know where ( I only upgraded to the last release XMC and NAC )

Thanks
Giuseppe

Re: This user does not have permissions for this command.

Zdeněk_Pala — Fri, 17 Dec 2021 11:03:12 GMT

check what radius attributes are sent from NAC to EXOS. For Admin access the EXOS you should receive Service Type = 6

here is my NAC rule:

Administrator NAC Profile uses Enterprise User (Administrator) policy

Policy Mapping for Enterprise User (Administrator)

The switch:

Good luck

Re: This user does not have permissions for this command.

Giuseppe_Montan — Fri, 17 Dec 2021 14:28:21 GMT

Thanks for your reply.
this is my configuration and it does not work 😞

Giuseppe

Re: This user does not have permissions for this command.

Zdeněk_Pala — Fri, 17 Dec 2021 15:48:58 GMT

hi Giuseppe.

I can not read anything from your picture.

Re: This user does not have permissions for this command.

Giuseppe_Montan — Fri, 17 Dec 2021 16:10:38 GMT

Here my configuration.

Giuseppe

Re: This user does not have permissions for this command.

Zdeněk_Pala — Fri, 17 Dec 2021 16:23:01 GMT

The AAA rule looks ok
The policy mapping looks ok.

what about the rest of the config? I shared NAC rules, NAC profile, Switch config

Re: This user does not have permissions for this command.

Giuseppe_Montan — Fri, 17 Dec 2021 16:42:17 GMT

XMC Configuration and Switch configuration

Giuseppe

Re: This user does not have permissions for this command.

Zdeněk_Pala — Fri, 17 Dec 2021 17:07:21 GMT

still missing the NAC rule that should match.
Can you share PCAP of the radius access accept?

Re: This user does not have permissions for this command.

Giuseppe_Montan — Fri, 17 Dec 2021 18:42:09 GMT

Hi, on NAC and XMC I have only tcpdump, is possible to install tshark ?

Giuseppe

Re: This user does not have permissions for this command.

Zdeněk_Pala — Fri, 17 Dec 2021 18:58:27 GMT

you can execute this command:
tcpdump -ni eth0 port 1812 -w /tmp/mypcap.pcap

then you can download the pcap file.
other option is to use GUI of the NAC engine and start the packet capture there
---
regarding your screenshots:

- is your user part of the user group condition
- is your switch part of the location condition

Re: This user does not have permissions for this command.

Giuseppe_Montan — Sat, 18 Dec 2021 00:44:29 GMT

Thanks for your help,
this evening I did a restore from a previous version and everything works apart that the rule that permit a login is not a rule "management login " but is the Default-Catch-rule.
I will check the next day

Thanks
Giuseppe

Re: This user does not have permissions for this command.

JASU — Wed, 30 Mar 2022 10:04:00 GMT

I have the same issue but I am authenticating my users through Freeradius in linux. Below is attribute configuration.
How would I allow this user to run " Show configuration" for sake of taking regular backup ?

USER1 Cleartext-password := password
Filter-id = "Enterasys:version=1:mgmt=ro"

Re: This user does not have permissions for this command.

Zdeněk_Pala — Wed, 30 Mar 2022 10:13:33 GMT

The MGMT access level to different OS depends on the radius attributes. The picture in my first response shows what attributes and what values should be used. Different response is expected by different OS.

Re: This user does not have permissions for this command.

JASU — Wed, 30 Mar 2022 11:35:15 GMT

Thanks for your answer. However, I am not expert in this area of attribute interpretation into acceptable script by radius server. So can you guide me how the script should look like in the Users file for read-only user, and read-write user ?
I have ExtremeXOS version 16.2.2.4 & ExtremeXOS version 15.3.1.4 switches.

By the way, when I used below syntax with 16.2 in the Users file, it was assigning the right privilege, ro/rw/su. But with 15.3, it always authorize user with read-only regardless of the keyword I use.

USER1 Cleartext-password := password
Filter-id = "Enterasys:version=1:mgmt=ro"

Re: This user does not have permissions for this command.

Zdeněk_Pala — Wed, 30 Mar 2022 12:42:17 GMT

You are correct. this feature was enhanced in 16.x code and EXOS now supports both the original EXOS and EOS options.

This should give you Admin:
USER1 Cleartext-password := password
Service-Type = Administrative

This should give you Read Only:
USER2 Cleartext-password := password
Service-Type = Login

Re: This user does not have permissions for this command.

JASU — Wed, 30 Mar 2022 14:32:51 GMT

Is there a way to grant the user with read-only privilege to run "Show configuration" ? Or any equivalent command to show complete configuration ?

Re: This user does not have permissions for this command.

Zdeněk_Pala — Wed, 30 Mar 2022 14:43:16 GMT

The per-command authorization can be used for this purpose. The EXOS needs to be configured to request permission for each command. the Radius needs to approve/reject each command.

Re: This user does not have permissions for this command.

JASU — Wed, 30 Mar 2022 15:54:29 GMT

Would you share example to show steps from both switch & radius server ?

Re: This user does not have permissions for this command.

Zdeněk_Pala — Thu, 31 Mar 2022 00:10:50 GMT

Sorry. It is more complex. Here is the documentation for EXOS 16.1 = https://documentation.extremenetworks.com/exos_16.1/downloads/GUID-D14940D6-7F4E-4084-A9BD-069AA223D632.pdf
What you need is the Security section, pages 951+

In general you need to authenticate the user through Radius with Extreme-CLI-Authorization = enabled.
then you will receive each command through radius request and Access-accept means the command can be executed. Access-reject means the command execution is rejected.