cancel
Showing results for 
Search instead for 
Did you mean: 

Log into switch with LDAP credentials

Stephen_Stormon
New Contributor III
Currently, we are using accounts created on each switch in order to be able to login.

We do have Extreme Management Center 8.x installed (we have NAC but don't have it fully configured/deployed yet) and have it configured so that users can login to EMC with their LDAP credentials. I know that a user can then use the "Open Device Terminal" via EMC, but we want to know if it is possible (and how we would configure it) so that we can use LDAP accounts instead when they start up PuTTY and SSH to a switch? I have read lots of different posts/articles on this and my head is swimming and need some guidance/clarity. Thanks!
18 REPLIES 18

Stephen_Stormon
New Contributor III
Not sure what it was, but I deleted the switches from the "Switches" section of the Engine Settings, re-added them, and now authentication is working. Oddly, when the settings were added via XMC, they now include "1" and "2" after "config radius mgmt-access", instead of "primary" and "secondary" (which is what is listed as part of the commands to run as per https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-RADIUS-authentication-for...)

configure radius mgmt-access 1 server 172.22.16.94 1812 client-ip 172.22.32.105 vr VR-Default
configure radius 1 shared-secret encrypted "#$MwNdSNk2RwKIdgQsGIaqIMkJWRUPRKEFbmVn58wQkxaVA6imbAc="
configure radius mgmt-access 2 server 172.22.64.46 1812 client-ip 172.22.32.105 vr VR-Default
configure radius 2 shared-secret encrypted "#$tZZbcU8GAbLVTAQY1t4BEChE2BHd7Q88XXCtprfAMcTAHBBYwbw="

Ryan_Yacobucci
Valued Contributor
Take a trace on the configured RADIUS server and verify it's receiving RADIUS traffic.

If receiving the traffic make sure that your RADIUS shared secret matches on NAC and on the switch.

You can check the /var/log/radius/radius.log to see if there are any "unauthorized" messages.

Thanks
-Ryan

Stephen_Stormon
New Contributor III
I had RADIUS logins using AD accounts working, we wiped the switch, and now I can't duplicate what I had done. The switch config is now this:

* Summit-CV-Core.15 # show config | i radius
configure radius mgmt-access primary server 172.22.64.46 1812 client-ip 172.22.32.1 vr VR-Default
configure radius mgmt-access primary shared-secret encrypted "I)sGr8lkuGSTtmo/HA{7?;"
enable radius mgmt-access
enable radius netlogin

But now when trying to login with an AD account that is a member of the "XOS Adminsitrators" AD group, we get this in the logs:

07/12/2018 23:05:58.09 Login failed for user zzhoppy through ssh (172.21.128.29)
07/12/2018 23:05:58.09 No response from server 172.22.64.46 trying local.
07/12/2018 23:05:58.09 No servers responding
07/12/2018 23:05:55.09 Resend request to Authentication Server address 172.22.64.46 current request count is 2
07/12/2018 23:05:52.08 Resend request to Authentication Server address 172.22.64.46 current request count is 1

Stephen_Stormon
New Contributor III
Now I am confused (or most likely am just going about this the wrong way). We want to be able to use our AD accounts to login to the switches, which we now now have working. We also need the "CLI credentials" specified in "Administration -> Profiles" to be able to login to the switch to backup configs and login when a console is opened from Extreme Management Center. You can't specify an AD account in the CLI credentials settings screen, so how do we get AD logins and the login from the the local xmc-cli account to work?