× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Orbi WiFi 7 RBE973

Re: SSH and HTTPS admin control

RL_IS
Aspirant

SSH and HTTPS admin control

Hello there

I am using the OOB port to manage the switch

 

I am struggling to get enable access over SSH using 802.1x.

I have configured SSH / HTTPS to use Radius - I can access the console via putty or web page

 

Problem

When I try the enable command on PUTTY - I get the message "Access Mode is configired as Read only for this user."

When I log in the HTTPS web page - I get on but I cannot edit any settings

 

Anyone experienced this??

 

Any help would be appreciated

 

 

Model: XSM4316S|M4300-8X8F - Stackable Managed Switch with 16x10G including 8x10GBASE-T and 8xSFP+ Layer 3
Message 1 of 3

Accepted Solutions
msi
Luminary
Luminary

Re: SSH and HTTPS admin control

Depending on your RADIUS Server (i.e. FreeRADIUS or NPS) you'll not only have to return ACCESS-ACCEPT or ACCESS-REJECT but also return an additional reply telling the switch that the user is not only granted access but with admin privileges.

 

This is not so well-documented on Netgear's side but you can simply return "Service-Type = Administrative-User" but also the Cisco-variant works. Here is an sanitized example of my config in FreeRADIUS in the post-auth Section - in my case I'm using LDAP as backend and checking an LDAP group membership:

post-auth {
        # Only members of the Network Admins are allowed
        if (LDAP-Group == "Network-Admins") {
                # Getting authorized requires informing the
                # (Netgear) device about privilege level.
                # Depending on the config only with this additional
                # reply message one gets authorized as admin on the shell.

                # Both seeme to work on Netgear, but Administrative-User is 
                # more vendor-neutral.
                update reply {
                        Service-Type = Administrative-User
                        Cisco-AVpair = "shell:priv-lvl=15"
                }
                noop
        }

        # No-one else is allowed.
        else {
                reject
        }

Hope this helps 🙂

View solution in original post

Message 2 of 3

All Replies
msi
Luminary
Luminary

Re: SSH and HTTPS admin control

Depending on your RADIUS Server (i.e. FreeRADIUS or NPS) you'll not only have to return ACCESS-ACCEPT or ACCESS-REJECT but also return an additional reply telling the switch that the user is not only granted access but with admin privileges.

 

This is not so well-documented on Netgear's side but you can simply return "Service-Type = Administrative-User" but also the Cisco-variant works. Here is an sanitized example of my config in FreeRADIUS in the post-auth Section - in my case I'm using LDAP as backend and checking an LDAP group membership:

post-auth {
        # Only members of the Network Admins are allowed
        if (LDAP-Group == "Network-Admins") {
                # Getting authorized requires informing the
                # (Netgear) device about privilege level.
                # Depending on the config only with this additional
                # reply message one gets authorized as admin on the shell.

                # Both seeme to work on Netgear, but Administrative-User is 
                # more vendor-neutral.
                update reply {
                        Service-Type = Administrative-User
                        Cisco-AVpair = "shell:priv-lvl=15"
                }
                noop
        }

        # No-one else is allowed.
        else {
                reject
        }

Hope this helps 🙂

Message 2 of 3
RL_IS
Aspirant

Re: SSH and HTTPS admin control

Thank you for the speedy reply and the right information

 

Much appreciated

 

 

Message 3 of 3
Discussion stats
  • 2 replies
  • 2408 views
  • 2 kudos
  • 2 in conversation
Announcements