https://community.extremenetworks.com/t5/extremeswitching-other/can-t-access-switches-with-loss-to-ldap-via-nac/m-p/9107#M135 Hi,<BR /> <BR /> Currently have all switches in the network doing management login via Radius Via NAC and then onto LDAP to AD.<BR /> <BR /> The problem has arisen, although two AD (LDAP Connections) have been configured, where Full loss to both the LDAP services has occurred. (appreciate that the resiliency here is broken, but...)<BR /> <BR /> The issue is (I believe) that because Radius is still working between the switch and NAC that the switches still think all is good and doesn't default to use a local account.<BR /> <BR /> Do you know if there is anyway to correct that?<BR /> <BR /> Was wondering if there is a Rule or an AAA configuration that could take precedence in that situation to use local authentication - have played but not got anything to work with that line of thought.<BR /> <BR /> Perhaps there is an EXOS configuration that can for example, test the LDAP servers before doing Radius Management Authentication, or equally something NAC could do similiar?<BR /> <BR /> Anyone had the same problem and found a solution?<BR /> <BR /> Many thanks.<BR /> <BR /> Fri, 22 Sep 2017 14:25:00 GMT Anonymous 2017-09-22T14:25:00Z https://community.extremenetworks.com/t5/extremeswitching-other/can-t-access-switches-with-loss-to-ldap-via-nac/m-p/9107#M135 Hi,<BR /> <BR /> Currently have all switches in the network doing management login via Radius Via NAC and then onto LDAP to AD.<BR /> <BR /> The problem has arisen, although two AD (LDAP Connections) have been configured, where Full loss to both the LDAP services has occurred. (appreciate that the resiliency here is broken, but...)<BR /> <BR /> The issue is (I believe) that because Radius is still working between the switch and NAC that the switches still think all is good and doesn't default to use a local account.<BR /> <BR /> Do you know if there is anyway to correct that?<BR /> <BR /> Was wondering if there is a Rule or an AAA configuration that could take precedence in that situation to use local authentication - have played but not got anything to work with that line of thought.<BR /> <BR /> Perhaps there is an EXOS configuration that can for example, test the LDAP servers before doing Radius Management Authentication, or equally something NAC could do similiar?<BR /> <BR /> Anyone had the same problem and found a solution?<BR /> <BR /> Many thanks.<BR /> <BR /> Fri, 22 Sep 2017 14:25:00 GMT https://community.extremenetworks.com/t5/extremeswitching-other/can-t-access-switches-with-loss-to-ldap-via-nac/m-p/9107#M135 Anonymous 2017-09-22T14:25:00Z https://community.extremenetworks.com/t5/extremeswitching-other/can-t-access-switches-with-loss-to-ldap-via-nac/m-p/9108#M136 Martin, If the failsafe account is configured, that is an option to access the switches.<BR /> <BR /> Fri, 22 Sep 2017 17:16:00 GMT https://community.extremenetworks.com/t5/extremeswitching-other/can-t-access-switches-with-loss-to-ldap-via-nac/m-p/9108#M136 Schmotter__Ryan 2017-09-22T17:16:00Z https://community.extremenetworks.com/t5/extremeswitching-other/can-t-access-switches-with-loss-to-ldap-via-nac/m-p/9109#M137 Oh right!<BR /> <BR /> The LDAP servers are backup now, but do you know if that would work via SSH and/or when locally connected?<BR /> <BR /> Fri, 22 Sep 2017 17:16:00 GMT https://community.extremenetworks.com/t5/extremeswitching-other/can-t-access-switches-with-loss-to-ldap-via-nac/m-p/9109#M137 Anonymous 2017-09-22T17:16:00Z https://community.extremenetworks.com/t5/extremeswitching-other/can-t-access-switches-with-loss-to-ldap-via-nac/m-p/9110#M138 The Failsafe account needs to be configured, it is not on by default and does not show up in the config. It is meant to be a last-resort account. You can use it in the console and SSH. Check out page 31 of the 21.1 EXOS user guide.<BR /> Fri, 22 Sep 2017 17:16:00 GMT https://community.extremenetworks.com/t5/extremeswitching-other/can-t-access-switches-with-loss-to-ldap-via-nac/m-p/9110#M138 Schmotter__Ryan 2017-09-22T17:16:00Z https://community.extremenetworks.com/t5/extremeswitching-other/can-t-access-switches-with-loss-to-ldap-via-nac/m-p/9111#M139 Thanks Ryan.<BR /> <BR /> Fortunately I always configure one by default, but there was just one step I missed out when I tested this:<BR /> <BR /> <A href="https://gtacknowledge.extremenetworks.com/articles/How_To/How-To-Create-a-Failsafe-Account" target="_blank" rel="nofollow noreferrer noopener">https://gtacknowledge.extremenetworks.com/articles/How_To/How-To-Create-a-Failsafe-Account</A><BR /> <BR /> I had not permitted access to the failsafe account via SSH!<BR /> <BR /> Cheers for your help<BR /> <BR /> Fri, 22 Sep 2017 17:16:00 GMT https://community.extremenetworks.com/t5/extremeswitching-other/can-t-access-switches-with-loss-to-ldap-via-nac/m-p/9111#M139 Anonymous 2017-09-22T17:16:00Z