NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
M4350 entering privileged exec mode (enable) via RADIUS
Hello everyone,
My team recently received some M4350 fully managed switches and we're having some trouble entering the privileged exec mode while using RADIUS via a Windows NPS.
We're able to SSH into the switch as expected while using RADIUS, but entering the "enable" command returns the following error;
"Authentication denied invalid user credentials"
We have an enable authentication list that is looking at RADIUS first, local second, and the list is applied to the SSH configuration in the web GUI.
We're also passing the following in the NPS server...
- [Service-type] Administrative
- [Cisco-AV-Pair] shell:priv-lvl=15
Ideally we'd like to pass directly into privileged exec mode once we SSH into the switch, but we'd settle for having to manually enter the enable command. Does anyone have any guidance? We're a little stumped so far.
2 Replies
In general RADIUS terms, I'm missing the Vendor Specific attributes (VSA) here, like the admin group membership, the re-auth times, ... Without configuring vendor-specific attributes for the group of the account, it belongs to the type “User” when you go to check the logged-in users, and you can't elevate the privilege.
Completely missing these attributes for user groups and/or privileges in https://kb.netgear.com/000064865/What-are-the-supported-RADIUS-attributes-for-NETGEAR-Fully-Managed-switches
Some traces (incomplete for this purpose IMHO) seem to exist with some Netgear switch implementation https://kb.netgear.com/22014/What-is-Remote-Authentication-Dial-In-User-Service-RADIUS-user-configuration-and-how-does-it-work-with-my-managed-switch
What I have in mind - what works with my preferred security appliance products - is this -> https://support.zyxel.eu/hc/en-us/articles/360000705220-How-to-get-different-privileges-by-RADIUS-authentication
I could be completely wrong however, LaurentMa please advise - I have no such high end switches in my test farm.
While this experience dates back right to the M4100 - hence things may have changed since - try checking if you have your authorization for CLI also configured: You may already have a line "aaa authentication login [...]" and "ip https authentication [...]" regulating access for CLI and Web login, but do check if you already have a "aaa authorization exec" line.
This is (or at least used to) tell switches from where they can be told who is a privileged user or not, i.e. "aaa authorization exec default radius local".
Oh, and I realized that Netgear hasn't yet published M4350 CLI reference manuals. While I don't think much of the CLI has changed since the M4300, it would still be much appreciated since I there will likely be small differences.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
