- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Re: SSH and HTTPS admin control
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello there
I am using the OOB port to manage the switch
I am struggling to get enable access over SSH using 802.1x.
I have configured SSH / HTTPS to use Radius - I can access the console via putty or web page
Problem
When I try the enable command on PUTTY - I get the message "Access Mode is configired as Read only for this user."
When I log in the HTTPS web page - I get on but I cannot edit any settings
Anyone experienced this??
Any help would be appreciated
Solved! Go to Solution.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Depending on your RADIUS Server (i.e. FreeRADIUS or NPS) you'll not only have to return ACCESS-ACCEPT or ACCESS-REJECT but also return an additional reply telling the switch that the user is not only granted access but with admin privileges.
This is not so well-documented on Netgear's side but you can simply return "Service-Type = Administrative-User" but also the Cisco-variant works. Here is an sanitized example of my config in FreeRADIUS in the post-auth Section - in my case I'm using LDAP as backend and checking an LDAP group membership:
post-auth { # Only members of the Network Admins are allowed if (LDAP-Group == "Network-Admins") { # Getting authorized requires informing the # (Netgear) device about privilege level. # Depending on the config only with this additional # reply message one gets authorized as admin on the shell. # Both seeme to work on Netgear, but Administrative-User is # more vendor-neutral. update reply { Service-Type = Administrative-User Cisco-AVpair = "shell:priv-lvl=15" } noop } # No-one else is allowed. else { reject }
Hope this helps 🙂
All Replies
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Depending on your RADIUS Server (i.e. FreeRADIUS or NPS) you'll not only have to return ACCESS-ACCEPT or ACCESS-REJECT but also return an additional reply telling the switch that the user is not only granted access but with admin privileges.
This is not so well-documented on Netgear's side but you can simply return "Service-Type = Administrative-User" but also the Cisco-variant works. Here is an sanitized example of my config in FreeRADIUS in the post-auth Section - in my case I'm using LDAP as backend and checking an LDAP group membership:
post-auth { # Only members of the Network Admins are allowed if (LDAP-Group == "Network-Admins") { # Getting authorized requires informing the # (Netgear) device about privilege level. # Depending on the config only with this additional # reply message one gets authorized as admin on the shell. # Both seeme to work on Netgear, but Administrative-User is # more vendor-neutral. update reply { Service-Type = Administrative-User Cisco-AVpair = "shell:priv-lvl=15" } noop } # No-one else is allowed. else { reject }
Hope this helps 🙂
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: SSH and HTTPS admin control
Thank you for the speedy reply and the right information
Much appreciated