cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

Extreme using radius JUST to authenticate, not for all command verification.

Extreme using radius JUST to authenticate, not for all command verification.

Kalil_De_A__Car
New Contributor
I have a ExtremeXOS version 16.2.1.6 configured. My intention ware just authenticate my users, but I realized when a user pass any command the Extreme checks the permition. Is this normal? It is possible change this behavior? If yes how?
Best regards
7 REPLIES 7

Kalil_De_A__Car
New Contributor
Hello Ram.

Sorry for my late. Here the information that you asked:

show configuration aaa:
configure radius mgmt-access primary server RADIUS_IP 1812 client-ip CLIENT_IP vr VR-Mgmt
configure radius mgmt-access primary shared-secret encrypted PASSWORD
configure radius mgmt-access secondary server RADIUS_IP 1812 client-ip CLIENT_IP vr VR-Mgmt
configure radius mgmt-access secondary shared-secret encrypted PASSWORD
enable radius mgmt-access

show switch:

SysName: ampere
SysLocation:
SysContact:
System MAC:
System Type: X670-48x

SysHealth check: Enabled (Normal)
Recovery Mode: All
System Watchdog: Enabled

Current Time: Thu Aug 3 10:55:20 2017
Timezone: [Auto DST Disabled] GMT Offset: -180 minutes, name is BRT.
Boot Time: Sat Jul 22 01:21:01 2017
Boot Count: 23
Next Reboot: None scheduled
System UpTime: 12 days 9 hours 34 minutes 18 seconds

Image Selected: secondary
Image Booted: secondary
Primary ver: 16.1.2.14
Secondary ver: 16.2.1.6

Config Selected: primary.cfg
Config Booted: primary.cfg

primary.cfg Created by ExtremeXOS version 16.2.1.6
1083719 bytes saved on Mon Jul 31 20:11:38 2017

show version:
Switch : 800400-00-04 1151G-00686 Rev 4.0 BootROM: 2.0.1.5 IMG: 16.2.1.6
PSU-1 : Internal PSU-1 800282-00-04 1201K-82195
PSU-2 : Internal PSU-2 800282-00-04 1201K-82194

Image : ExtremeXOS version 16.2.1.6 by release-manager
on Sat Aug 6 19:06:56 EDT 2016
BootROM : 2.0.1.5
Diagnostics : 6.4

Ram3
Extreme Employee
Could you please provide me the entire configuration of "show configuration aaa", "show switch" and "show version"? If it is an issue we need to test this in local lab. Hence, you could also open a GTAC case with "show tech" output with detailed explanation about your issue.

Kalil_De_A__Car
New Contributor
Hell all.

Good morning Ram, here my configuration:

configure radius mgmt-access primary shared-secret PASSWORD
configure radius mgmt-access primary server IP_SERVER 1812 client-ip IP_CLIENT vr VR-Mgmt
configure radius mgmt-access secondary shared-secret PASSWORD
configure radius mgmt-access secondary server IP_SERVER 1812 client-ip IP_CLIENT vr VR-Mgmt
enable radius mgmt-access

We noticed that all command which user pass ware by the switchs. Like, if a user passed "show configuration" the switch send a new check for this command. The problem is if we have any problem between switch and RADIUS server the user will do nothing any more.

We realized that beravior running tcpdum commands on RADIUS server. So, with that we could see this.

It is possible torn off this, just let the switch check login and nothing more?

Best regards.

Ronald_Dvorak
Honored Contributor
Please take a look into this post which incl a link to screenshots of a working setup...

https://community.extremenetworks.com/extreme/topics/microsoft-nps-server-vsa-configuration-for-extr...

GTM-P2G8KFN