Can't Access Switches With Loss To LDAP via NAC
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎09-22-2017 07:25 AM
Hi,
Currently have all switches in the network doing management login via Radius Via NAC and then onto LDAP to AD.
The problem has arisen, although two AD (LDAP Connections) have been configured, where Full loss to both the LDAP services has occurred. (appreciate that the resiliency here is broken, but...)
The issue is (I believe) that because Radius is still working between the switch and NAC that the switches still think all is good and doesn't default to use a local account.
Do you know if there is anyway to correct that?
Was wondering if there is a Rule or an AAA configuration that could take precedence in that situation to use local authentication - have played but not got anything to work with that line of thought.
Perhaps there is an EXOS configuration that can for example, test the LDAP servers before doing Radius Management Authentication, or equally something NAC could do similiar?
Anyone had the same problem and found a solution?
Many thanks.
Currently have all switches in the network doing management login via Radius Via NAC and then onto LDAP to AD.
The problem has arisen, although two AD (LDAP Connections) have been configured, where Full loss to both the LDAP services has occurred. (appreciate that the resiliency here is broken, but...)
The issue is (I believe) that because Radius is still working between the switch and NAC that the switches still think all is good and doesn't default to use a local account.
Do you know if there is anyway to correct that?
Was wondering if there is a Rule or an AAA configuration that could take precedence in that situation to use local authentication - have played but not got anything to work with that line of thought.
Perhaps there is an EXOS configuration that can for example, test the LDAP servers before doing Radius Management Authentication, or equally something NAC could do similiar?
Anyone had the same problem and found a solution?
Many thanks.
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎09-22-2017 10:16 AM
Martin, If the failsafe account is configured, that is an option to access the switches.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎09-22-2017 10:16 AM
Thanks Ryan.
Fortunately I always configure one by default, but there was just one step I missed out when I tested this:
https://gtacknowledge.extremenetworks.com/articles/How_To/How-To-Create-a-Failsafe-Account
I had not permitted access to the failsafe account via SSH!
Cheers for your help
Fortunately I always configure one by default, but there was just one step I missed out when I tested this:
https://gtacknowledge.extremenetworks.com/articles/How_To/How-To-Create-a-Failsafe-Account
I had not permitted access to the failsafe account via SSH!
Cheers for your help
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎09-22-2017 10:16 AM
The Failsafe account needs to be configured, it is not on by default and does not show up in the config. It is meant to be a last-resort account. You can use it in the console and SSH. Check out page 31 of the 21.1 EXOS user guide.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎09-22-2017 10:16 AM
Oh right!
The LDAP servers are backup now, but do you know if that would work via SSH and/or when locally connected?
The LDAP servers are backup now, but do you know if that would work via SSH and/or when locally connected?
