This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Create local backdoor switch admin account in case NPS / Radius is down

Create local backdoor switch admin account in case NPS / Radius is down

Go to solution
Keith9
Contributor III

‎09-23-2020 07:39 PM

Hello,

I’m testing enabling active directory login using windows NPS servers.  The thing is although this appears to be working, the switch no longer accepts the “admin” password.  The concern is if the NPS servers were down for some reason (like a network issue) and you want to troubleshoot that network issue so you go to the network (switch) and then you woudn’t have a backdoor way in from another location.

 

Here is the config added to the switch

configure radius mgmt-access primary server 10.1.1.1 1645 client-ip 10.1.0.111 vr VR-Default
configure radius mgmt-access primary shared-secret Secrethere

configure radius mgmt-access secondary server 10.1.1.2 1645 client-ip 10.1.0.111 vr VR-Default
configure radius mgmt-access secondary shared-secret Secrethere
 

enable radius mgmt-access

 

Followed these two articles:
https://extremeportal.force.com/ExtrArticleDetail?an=000074221

 

https://extremeportal.force.com/ExtrArticleDetail?an=000078945

 

Also notice regular AD users can log in, but thankfully they do not have any admin rights of the switch.

 

 

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
BradP
Extreme Employee

‎09-23-2020 08:16 PM

Hi Keith,

No worries. Glad we can help. If you want to change the RADIUS timeout period the command is

# configure radius mgmt-access timeout <seconds>
RADIUS server timeout seconds. Range is 1 to 240.

The failsafe account is very much intended as a “in case of fire, break glass” type of scenario, as you said, the session isn’t logged and will always let the administrator right in. 

Its definitely a viable option, though.

Thanks

Brad

View solution in original post

0 Kudos
6 REPLIES 6

Go to solution
BradP
Extreme Employee

‎09-23-2020 07:45 PM

The switch is not accepting the “admin” login anymore, because its trying to authenticate that “admin” user against RADIUS, and if one isn’t present in RADIUS, then the RADIUS server is sending an access-reject.

0 Kudos

Go to solution
BradP
Extreme Employee

‎09-23-2020 07:42 PM

Hi Keith,

If the RADIUS servers are unavailable, the switch should default to the on-switch database. If you are still nervous, you can configure a failsafe account on the switches that can be used that don’t get authenticated against RADIUS.

Brad

0 Kudos
GTM-P2G8KFN