Netonix Forums

Hello,

I've got a feature request: Ability to prefer RADIUS over local auth when RADIUS is configured/responding.

We've begun rolling out RADIUS to all of our Netonix switches and it would be nice to have the option to prioritize RADIUS over local auth, or disable local auth altogether (though maybe not the best idea). Ultimately, we'd like to force users to login with their own users for audit purposes, having the local admin user available only when RADIUS is unresponsive.. without having to change local admin passwords system-wide.

Maybe a dropdown of options under the RADIUS config section? Thoughts?

Auth Mode:
- Local only
- RADIUS, then local
- RADIUS only

Thanks!

Having local user/pass work only when radius is non responsive is the ideal scenario. That way there’s a clear audit trail of who did what. Otherwise everybody just uses the same “admin” username and I have to place the guessing game of who to blame.

I also recently noticed an attempting-to-authenticate users password is passed in clear text to radclient on the cmdline during a radius auth request. Not sure if there would be a more secure way to handle that so I don’t happen to be exposed to my coworkers non encrypted passwords accidentally :)

I also would prefer to have these options. If RADIUS is available the switch should use it. Effectively the local password should only come into play when connecting to the switch isolated from the network (or if RADIUS is unreachable / down). The only downside is waiting for the RADIUS timeout

One of the other brands of switches we use has these options:

- TACACS+orLocal
- RADIUSorLocal
- TACACS+
- RADIUS
- Local

When RADIUSorLocal is selected and RADIUS is available the switch will only accept a RADIUS password. Since, in our case, the local password isn't in the database RADIUS is using, this means the local password will not work. It gets passed and rejected. This makes sense and is how I would prefer the Netonix to behave as well

Sounds like a good idea too me.