NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
SSH and HTTPS admin control
Hello there
I am using the OOB port to manage the switch
I am struggling to get enable access over SSH using 802.1x.
I have configured SSH / HTTPS to use Radius - I can access the console via putty or web page
Problem
When I try the enable command on PUTTY - I get the message "Access Mode is configired as Read only for this user."
When I log in the HTTPS web page - I get on but I cannot edit any settings
Anyone experienced this??
Any help would be appreciated
Depending on your RADIUS Server (i.e. FreeRADIUS or NPS) you'll not only have to return ACCESS-ACCEPT or ACCESS-REJECT but also return an additional reply telling the switch that the user is not only granted access but with admin privileges.
This is not so well-documented on Netgear's side but you can simply return "Service-Type = Administrative-User" but also the Cisco-variant works. Here is an sanitized example of my config in FreeRADIUS in the post-auth Section - in my case I'm using LDAP as backend and checking an LDAP group membership:
post-auth { # Only members of the Network Admins are allowed if (LDAP-Group == "Network-Admins") { # Getting authorized requires informing the # (Netgear) device about privilege level. # Depending on the config only with this additional # reply message one gets authorized as admin on the shell. # Both seeme to work on Netgear, but Administrative-User is # more vendor-neutral. update reply { Service-Type = Administrative-User Cisco-AVpair = "shell:priv-lvl=15" } noop } # No-one else is allowed. else { reject }Hope this helps :-)
2 Replies
Replies have been turned off for this discussion
Depending on your RADIUS Server (i.e. FreeRADIUS or NPS) you'll not only have to return ACCESS-ACCEPT or ACCESS-REJECT but also return an additional reply telling the switch that the user is not only granted access but with admin privileges.
This is not so well-documented on Netgear's side but you can simply return "Service-Type = Administrative-User" but also the Cisco-variant works. Here is an sanitized example of my config in FreeRADIUS in the post-auth Section - in my case I'm using LDAP as backend and checking an LDAP group membership:
post-auth { # Only members of the Network Admins are allowed if (LDAP-Group == "Network-Admins") { # Getting authorized requires informing the # (Netgear) device about privilege level. # Depending on the config only with this additional # reply message one gets authorized as admin on the shell. # Both seeme to work on Netgear, but Administrative-User is # more vendor-neutral. update reply { Service-Type = Administrative-User Cisco-AVpair = "shell:priv-lvl=15" } noop } # No-one else is allowed. else { reject }Hope this helps :-)
Thank you for the speedy reply and the right information
Much appreciated
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
