09-23-2020 07:39 PM
Hello,
I’m testing enabling active directory login using windows NPS servers. The thing is although this appears to be working, the switch no longer accepts the “admin” password. The concern is if the NPS servers were down for some reason (like a network issue) and you want to troubleshoot that network issue so you go to the network (switch) and then you woudn’t have a backdoor way in from another location.
Here is the config added to the switch
configure radius mgmt-access primary server 10.1.1.1 1645 client-ip 10.1.0.111 vr VR-Default
configure radius mgmt-access primary shared-secret Secrethere
configure radius mgmt-access secondary server 10.1.1.2 1645 client-ip 10.1.0.111 vr VR-Default
configure radius mgmt-access secondary shared-secret Secrethere
enable radius mgmt-access
Followed these two articles:
https://extremeportal.force.com/ExtrArticleDetail?an=000074221
https://extremeportal.force.com/ExtrArticleDetail?an=000078945
Also notice regular AD users can log in, but thankfully they do not have any admin rights of the switch.
Solved! Go to Solution.
09-23-2020 08:16 PM
Hi Keith,
No worries. Glad we can help. If you want to change the RADIUS timeout period the command is
# configure radius mgmt-access timeout <seconds>
RADIUS server timeout seconds. Range is 1 to 240.
The failsafe account is very much intended as a “in case of fire, break glass” type of scenario, as you said, the session isn’t logged and will always let the administrator right in.
Its definitely a viable option, though.
Thanks
Brad
09-24-2020 02:24 PM
One thing to note, is that there is a process for GTAC to be able to be let into the switch as well, so if you’re still locked out and in a dire situation, give us a ring and we can issue a one time password that will allow us to get in and see if we can help fix things.
Brad
09-24-2020 12:54 PM
Brad, many thanks! I think I’ll just lower the radius timeout a little bit. That way if the network IS down and we’re on site looking at something in the switch, it won’t need to wait as long to accept the admin credential.
It’s actually kind of a nice setup. I think I’m ready to deploy to more switches. In an IT audit it was recommended to use a radius type of login to our extreme and Cisco networking environment. Mostly for user management so you can look at logs and know who logged in and made a change, but secondly it follows our AD strong password policy.
Looks like this one will be a success!
09-23-2020 08:16 PM
Hi Keith,
No worries. Glad we can help. If you want to change the RADIUS timeout period the command is
# configure radius mgmt-access timeout <seconds>
RADIUS server timeout seconds. Range is 1 to 240.
The failsafe account is very much intended as a “in case of fire, break glass” type of scenario, as you said, the session isn’t logged and will always let the administrator right in.
Its definitely a viable option, though.
Thanks
Brad
09-23-2020 07:57 PM
Ah i see now. I checked the NPS logs, your right, its trying to authenticate the user admin to active directory and fails.
I temp disabled that radius client in my two NPS servers and tried logging in as admin again. After a very long delay, it did log in. Any way to lower the delay? I imagine its because the output of the command show radius indicates for each NPS server its 3 retries and 15 is the timeout *both asterisk by the way.
Maybe a failsafe account is a better way to go.
The idea is to use a failsafe type of account with a very long password that is just not econmical to use, that way admins who go into these switches don’t spend time looking it up, instead they use their active directory admin account credentials, therefore access is logged and also behind our AD password policy.
Thanks for your quick response. Your right… just a little tweaking to do and a full understanding before I roll this out from this test switch to our other live switch stacks.