This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Configure Local Accounts Restricted to Console Only

Configure Local Accounts Restricted to Console Only

Hyoun_Kim1
New Contributor II

‎02-17-2016 07:43 PM

I found a similar question here, but it was never answered:
https://community.extremenetworks.com/extreme/topics/switch_management_authentication-1h8cmy?topic-r...

I've been tasked to restrict local account access to console-only authentication on all the network equipment in our environment. For the Cisco, Arista, and Brocade equipment, I was able to accomplish this task. However for the Extreme Networks equipment, I cannot figure out how to do this.

For reference, I have an X450e-48p running ExtremeXOS v12.3.2.5.

In the Cisco equipment, I was able to to this:
aaa authentication login default group Mgmt
aaa authentication login ConsoleOnly local
!
line con 0
login authentication ConsoleOnlyIt was similary done w/ the Arista and Brocade equipment. As you can see in the example, the default login uses group Mgmt (which utilizes RADIUS). However, now with that configuration, when we connect via console, we MUST use a local login.

I know the Extreme Networks switch allows you to use a failsafe account and you can restrict that to console only, but it is my understanding that there must also be at least ONE administrator account configured on the switch.

With this, I cannot restrict console access, as the RADIUS accepted logins and the local administrator account is allowed to login via console.

Is this not do-able? Is there no way to lock down the console port access?

4 REPLIES 4

Balaji
Extreme Employee

‎02-17-2016 08:24 PM

Hyoun,

Unfortunately with EXOS we don't have that option. you cannot restrict the Console Access to local accounts.
0 Kudos

Hyoun_Kim1
New Contributor II
In response to Balaji

‎02-17-2016 08:24 PM

Got it! Thank you!
0 Kudos

Patrick_Voss
Extreme Employee

‎02-17-2016 08:04 PM

Hi Hyoun,

Unless I am misunderstanding your question I believe you can just "disable telnet" and "disable ssh"
0 Kudos

Hyoun_Kim1
New Contributor II
In response to Patrick_Voss

‎02-17-2016 08:04 PM

Hi Patrick, Sorry for the confusion.

Right now, whether console or via SSH, I can log in with both local accounts and RADIUS authenticated accounts.

What I am trying to accomplish is the following:
  1. Allow SSH to use RADIUS authentication *only* (no use of local accounts)
  2. Restrict Console ACcess to local accounts *only* (no use of RADIUS authentication).
0 Kudos
GTM-P2G8KFN