This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forÂ
- Extreme Networks
- Community List
- Network Management & Authentication
- ExtremeCloud IQ- Site Engine Management Center
- Re: Inquiry: XIQ-SE WebShell SSO or Dynamic Creden...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Inquiry: XIQ-SE WebShell SSO or Dynamic Credentials for VOSS Switches (Version 24.2.15.5)
Inquiry: XIQ-SE WebShell SSO or Dynamic Credentials for VOSS Switches (Version 24.2.15.5)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
3 weeks ago
Hi GTAC Support Team,
We have recently implemented AD and RADIUS authentication for management access on our VOSS switches.
We are currently running ExtremeCloud IQ - Site Engine version 24.2.15.5. We would like to streamline the administrative access via the XIQ-SE WebShell (Device Terminal) and have a couple of questions regarding its capabilities:
- WebShell SSO: Is it possible to use the XIQ-SE SSO connection to automatically pass the credentials of the AD user currently logged into the XIQ-SE web interface directly to the WebShell session for our managed VOSS switches ?
- Dynamic / Prompted Credentials per Profile: If SSO is not supported, is it possible to configure a specific Device Profile or CLI Credential in XIQ-SE that explicitly tells the system not to use statically configured credentials ? We would like the WebShell to prompt the user for their personal AD credentials for these specific switches, without having to globally disable the "Enable Auto Login" feature for all devices in the administration options.
If these features are not currently available in our version (24.2.15.5), could you please let us know if they are supported in a more recent release or if they are on the roadmap for a future update ?
Thank you in advance for your assistance and recommendations.
Best regards,
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
3 weeks ago
The functionality you are describing is not available in Site Engine; any release.
The credentials used to access a switch via SSO are tied to the CLI Credentials profile that is tied to the SNMP Admin profile that is managing the device.
The credential of the GUI logged in user (which could be root / netsight / local accounts / active directory LDAP accounts) are NOT passed to WebShell.
This would be a feature request. Please speak with your Extreme account team.
Software releases prior to 24.10.11 can not longer be supported by GTAC. Please consider upgrading / migrating to a supported release 25.02.11 or above at this time (within the last 12 months).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
3 weeks ago
Thanks for the detailed answer. We really appreciate you looking into this despite our older version.
Got it for the SSO limitation. Relying on the SNMP/CLI profiles is actually what we currently do for most of our switches.
Our main issue right now is that we are in a transition phase. Out of our ~400 switches, not all of them are migrated to NAC (RADIUS/AD) yet, and not all of them are planned to be migrated in the near future due to differing operational contexts across our environment.
This puts us in a tricky spot since the "Enable Auto Login" setting is global:
- If we turn it off globally, we have to manually type credentials for everything, even the legacy switches that still use SNMP/CLI profiles.
- If we leave it on, WebShell works great for the legacy switches but fails for the newly NAC-migrated ones, because XIQ-SE forces the static credentials instead of letting us type our AD logins.
Is there really no way to disable the auto-login per device or per profile ? Or to only prompt for credentials on specific switches ?
Could you confirm if:
- This is the expected behavior and a hard limitation in our current release ?
- This feature has been added or improved in a newer XIQ-SE version ?
Thanks,
Mathieu Mançon
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
3 weeks ago
This is unfortunately the limitation.
All or none. You either have auto login w/ the traditional SNMP profile and static CLI credential set or you disable auto login and enter credentials manually for every device.
This would still be a feature request -- to either (1) provide that option of keeping traditional SNMP/CLI credential and allowing it to be turned off PER device or (2) changing the traditional aspect and say passing along the GUI login credentials IF they are AD/LDAP and prompting for the AD password ... or some mix of the two (if GUI login = local or root/netsight use CLI credential; otherwise use AD LDAP account used to log into GUI)...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
3 weeks ago
Hi Mancon,
Thank you for reaching out.
Based on the GTAC team’s recommendation, please open a support case so they can review your setup and confirm whether the version in use is supported.
Regards,
Nithisha K
