XOS - Using RADIUS and local users possible?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-27-2015 01:40 PM
We're finally implementing RADIUS for all of our XOS gear in conjunction with a move to NetSight. I've noticed that once RADIUS is configured on a switch authentications that fail via RADIUS don't attempt to use the local database. I know that it will use the local database if RADIUS can't be contacted, but is there a way for XOS to check the local DB as well when RADIUS is working? I wasn't sure what the best approach would be for adding switches into NetSight, but originally we thought it would be a local account on the switch. Those aren't working now so configuration backups started failing which led me to this question. Thanks for help in advance.
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-27-2015 09:32 PM
Andrew,
In addition to the above responses, there is a new feature that is forthcoming that will allow you to disable the local users all together if radius or tacacs is enabled for remote admin authentication. As Parthian mentioned in 15.3.1.4-patch1-7 and earlier even if you have TACACS or RADIUS configured they WILL fall back to local users. This behavior has changed with any later code releases.
Bill
In addition to the above responses, there is a new feature that is forthcoming that will allow you to disable the local users all together if radius or tacacs is enabled for remote admin authentication. As Parthian mentioned in 15.3.1.4-patch1-7 and earlier even if you have TACACS or RADIUS configured they WILL fall back to local users. This behavior has changed with any later code releases.
Bill
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-27-2015 08:29 PM
Thanks guys. Works for me.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-27-2015 04:08 PM
Andrew,
As stated in the documentation:
"A user rejected by the Radius/TACACS server can not be authenticated via local database."
This behavior can't be changed.
As stated in the documentation:
"A user rejected by the Radius/TACACS server can not be authenticated via local database."
This behavior can't be changed.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-27-2015 02:48 PM
Hello it is actually not the right way for client to check radius and local database when radius server is reachable.
Exos implementation is when radius server is not reachable it will fallback to local database.
But when radius authentication fails it will not look into the local database.
If you really need this to work in your way.I remember this issue very well it must be in earlier
15.3 and 15.2 versions that it works in the way you like.
The way you wanted RADIUS To work is as below:
when radius server is not reachable it will fallback to local database.
When radius is reachable it will allow access based on radius database.
Also when radius authentication fails it will look into the local database.And if username and password is valid as per local database .It allows access for the client.
Exos implementation is when radius server is not reachable it will fallback to local database.
But when radius authentication fails it will not look into the local database.
If you really need this to work in your way.I remember this issue very well it must be in earlier
15.3 and 15.2 versions that it works in the way you like.
The way you wanted RADIUS To work is as below:
when radius server is not reachable it will fallback to local database.
When radius is reachable it will allow access based on radius database.
Also when radius authentication fails it will look into the local database.And if username and password is valid as per local database .It allows access for the client.
