NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

RL_IS's avatar
RL_IS
Aspirant
Jul 28, 2020
Solved

SSH and HTTPS admin control

Hello there I am using the OOB port to manage the switch   I am struggling to get enable access over SSH using 802.1x. I have configured SSH / HTTPS to use Radius - I can access the console via p...
  • msi's avatar
    msi
    Jul 28, 2020

    Depending on your RADIUS Server (i.e. FreeRADIUS or NPS) you'll not only have to return ACCESS-ACCEPT or ACCESS-REJECT but also return an additional reply telling the switch that the user is not only granted access but with admin privileges.

     

    This is not so well-documented on Netgear's side but you can simply return "Service-Type = Administrative-User" but also the Cisco-variant works. Here is an sanitized example of my config in FreeRADIUS in the post-auth Section - in my case I'm using LDAP as backend and checking an LDAP group membership:

    post-auth {
        # Only members of the Network Admins are allowed
        if (LDAP-Group == "Network-Admins") {
                # Getting authorized requires informing the
                # (Netgear) device about privilege level.
                # Depending on the config only with this additional
                # reply message one gets authorized as admin on the shell.

                # Both seeme to work on Netgear, but Administrative-User is 
                # more vendor-neutral.
                update reply {
                        Service-Type = Administrative-User
                        Cisco-AVpair = "shell:priv-lvl=15"
                }
                noop
        }

        # No-one else is allowed.
        else {
                reject
        }

    Hope this helps :-)

msi's avatar
msi
Luminary
Jul 28, 2020

Depending on your RADIUS Server (i.e. FreeRADIUS or NPS) you'll not only have to return ACCESS-ACCEPT or ACCESS-REJECT but also return an additional reply telling the switch that the user is not only granted access but with admin privileges.

 

This is not so well-documented on Netgear's side but you can simply return "Service-Type = Administrative-User" but also the Cisco-variant works. Here is an sanitized example of my config in FreeRADIUS in the post-auth Section - in my case I'm using LDAP as backend and checking an LDAP group membership:

post-auth {
        # Only members of the Network Admins are allowed
        if (LDAP-Group == "Network-Admins") {
                # Getting authorized requires informing the
                # (Netgear) device about privilege level.
                # Depending on the config only with this additional
                # reply message one gets authorized as admin on the shell.

                # Both seeme to work on Netgear, but Administrative-User is 
                # more vendor-neutral.
                update reply {
                        Service-Type = Administrative-User
                        Cisco-AVpair = "shell:priv-lvl=15"
                }
                noop
        }

        # No-one else is allowed.
        else {
                reject
        }

Hope this helps :-)

  • RL_IS's avatar
    RL_IS
    Aspirant
    Jul 29, 2020

    Thank you for the speedy reply and the right information

     

    Much appreciated

     

     

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More