Re: SSH and HTTPS admin control

RL_IS · ‎2020-07-28

Hello there

I am using the OOB port to manage the switch

I am struggling to get enable access over SSH using 802.1x.

I have configured SSH / HTTPS to use Radius - I can access the console via putty or web page

Problem

When I try the enable command on PUTTY - I get the message "Access Mode is configired as Read only for this user."

When I log in the HTTPS web page - I get on but I cannot edit any settings

Anyone experienced this??

Any help would be appreciated

msi · ‎2020-07-28

Depending on your RADIUS Server (i.e. FreeRADIUS or NPS) you'll not only have to return ACCESS-ACCEPT or ACCESS-REJECT but also return an additional reply telling the switch that the user is not only granted access but with admin privileges.

This is not so well-documented on Netgear's side but you can simply return "Service-Type = Administrative-User" but also the Cisco-variant works. Here is an sanitized example of my config in FreeRADIUS in the post-auth Section - in my case I'm using LDAP as backend and checking an LDAP group membership:

post-auth {
        # Only members of the Network Admins are allowed
        if (LDAP-Group == "Network-Admins") {
                # Getting authorized requires informing the
                # (Netgear) device about privilege level.
                # Depending on the config only with this additional
                # reply message one gets authorized as admin on the shell.

                # Both seeme to work on Netgear, but Administrative-User is 
                # more vendor-neutral.
                update reply {
                        Service-Type = Administrative-User
                        Cisco-AVpair = "shell:priv-lvl=15"
                }
                noop
        }

        # No-one else is allowed.
        else {
                reject
        }

Hope this helps 🙂

View solution in original post

msi · ‎2020-07-28

Depending on your RADIUS Server (i.e. FreeRADIUS or NPS) you'll not only have to return ACCESS-ACCEPT or ACCESS-REJECT but also return an additional reply telling the switch that the user is not only granted access but with admin privileges.

This is not so well-documented on Netgear's side but you can simply return "Service-Type = Administrative-User" but also the Cisco-variant works. Here is an sanitized example of my config in FreeRADIUS in the post-auth Section - in my case I'm using LDAP as backend and checking an LDAP group membership:

post-auth {
        # Only members of the Network Admins are allowed
        if (LDAP-Group == "Network-Admins") {
                # Getting authorized requires informing the
                # (Netgear) device about privilege level.
                # Depending on the config only with this additional
                # reply message one gets authorized as admin on the shell.

                # Both seeme to work on Netgear, but Administrative-User is 
                # more vendor-neutral.
                update reply {
                        Service-Type = Administrative-User
                        Cisco-AVpair = "shell:priv-lvl=15"
                }
                noop
        }

        # No-one else is allowed.
        else {
                reject
        }

Hope this helps 🙂

RL_IS · ‎2020-07-29

Thank you for the speedy reply and the right information

Much appreciated