Unable to connect to CLI in read-only mode via Radius
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎07-06-2022 05:52 AM
I'm facing an obvious problem trying to allow CLI RO connection to FabricEngine devices using Radius on XIQ-SE.
All is working fine for RWA access, and my setup is similar for RO access, except for Access control profile on XIQ-SE, for which policy mapping is defined as "Read Only" for management.
When I'm trying to connect through SSH to the switch, XIQ-SE accept connection, returns right attributes to switch (Passport-Access-Priority := Read-Only-Access), but user is finally not allowed on it...
What I'm doing wrong ?
Thanks for your help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-08-2025 07:58 AM - edited ‎01-08-2025 07:59 AM
Have you been able to solve this? I am facing exactly the same issue. My NAC gateway (Extreme Control) correctly returns 1 for Passport-Access-Priority and sends Accept, but switch (Fabric Engine) denies the access anyway. If I change the Passport-Access-Priority to 6, the connection is accepted and I am assigned RWA access as expected.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎07-07-2022 02:56 AM
Yes, NAC gateway returns 1 for Passport-Access-Priority attribute value, as you can see in attachments.
I precise that EDM access works well with same configuration.
Best regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎07-07-2022 02:30 AM
its correct you have to use the "Passport-Access-Priority" attribute but with a value of "1" for read-only and a "6" for read-write-all:
Passport-Access-Priority=1
That works fine for me:
C-5520-1:1>show users
SESSION USER ACCESS IP ADDRESS
Console mscheid ro ---------- (current)
C-5520-1:1>
regards
Marlon
