RADIUS Authentication FR

nroufus
Member
 
Posts: 3
Joined: Fri Aug 19, 2016 3:52 pm
Has thanked: 0 time
Been thanked: 0 time

RADIUS Authentication FR

Thu Jun 03, 2021 8:46 pm

Hello,

I've got a feature request: Ability to prefer RADIUS over local auth when RADIUS is configured/responding.

We've begun rolling out RADIUS to all of our Netonix switches and it would be nice to have the option to prioritize RADIUS over local auth, or disable local auth altogether (though maybe not the best idea). Ultimately, we'd like to force users to login with their own users for audit purposes, having the local admin user available only when RADIUS is unresponsive.. without having to change local admin passwords system-wide.

Maybe a dropdown of options under the RADIUS config section? Thoughts?

Auth Mode:
- Local only
- RADIUS, then local
- RADIUS only

Thanks!

cbl
Member
 
Posts: 44
Joined: Mon Mar 30, 2015 6:42 pm
Has thanked: 0 time
Been thanked: 6 times

Re: RADIUS Authentication FR

Thu Jun 03, 2021 10:48 pm

Having local user/pass work only when radius is non responsive is the ideal scenario. That way there’s a clear audit trail of who did what. Otherwise everybody just uses the same “admin” username and I have to place the guessing game of who to blame.

I also recently noticed an attempting-to-authenticate users password is passed in clear text to radclient on the cmdline during a radius auth request. Not sure if there would be a more secure way to handle that so I don’t happen to be exposed to my coworkers non encrypted passwords accidentally :)

User avatar
sakita
Experienced Member
 
Posts: 206
Joined: Mon Aug 17, 2015 2:44 pm
Location: Arizona, USA
Has thanked: 93 times
Been thanked: 80 times

Re: RADIUS Authentication FR

Mon Jun 07, 2021 11:02 am

I also would prefer to have these options. If RADIUS is available the switch should use it. Effectively the local password should only come into play when connecting to the switch isolated from the network (or if RADIUS is unreachable / down). The only downside is waiting for the RADIUS timeout :cry:

One of the other brands of switches we use has these options:

- TACACS+orLocal
- RADIUSorLocal
- TACACS+
- RADIUS
- Local

When RADIUSorLocal is selected and RADIUS is available the switch will only accept a RADIUS password. Since, in our case, the local password isn't in the database RADIUS is using, this means the local password will not work. It gets passed and rejected. This makes sense and is how I would prefer the Netonix to behave as well :cheers:
Today is an average day: Worse than yesterday, but better than tomorrow.

User avatar
Stephen
Employee
Employee
 
Posts: 1033
Joined: Sun Dec 24, 2017 8:56 pm
Has thanked: 85 times
Been thanked: 181 times

Re: RADIUS Authentication FR

Tue Jun 08, 2021 6:32 pm

Sounds like a good idea too me.

Return to General Discussion

Who is online

Users browsing this forum: No registered users and 29 guests