Hello,
I've got a feature request: Ability to prefer RADIUS over local auth when RADIUS is configured/responding.
We've begun rolling out RADIUS to all of our Netonix switches and it would be nice to have the option to prioritize RADIUS over local auth, or disable local auth altogether (though maybe not the best idea). Ultimately, we'd like to force users to login with their own users for audit purposes, having the local admin user available only when RADIUS is unresponsive.. without having to change local admin passwords system-wide.
Maybe a dropdown of options under the RADIUS config section? Thoughts?
Auth Mode:
- Local only
- RADIUS, then local
- RADIUS only
Thanks!
RADIUS Authentication FR
- nroufus
- Member
- Posts: 3
- Joined: Fri Aug 19, 2016 3:52 pm
- Has thanked: 0 time
- Been thanked: 0 time
Re: RADIUS Authentication FR
Having local user/pass work only when radius is non responsive is the ideal scenario. That way there’s a clear audit trail of who did what. Otherwise everybody just uses the same “admin” username and I have to place the guessing game of who to blame.
I also recently noticed an attempting-to-authenticate users password is passed in clear text to radclient on the cmdline during a radius auth request. Not sure if there would be a more secure way to handle that so I don’t happen to be exposed to my coworkers non encrypted passwords accidentally :)
I also recently noticed an attempting-to-authenticate users password is passed in clear text to radclient on the cmdline during a radius auth request. Not sure if there would be a more secure way to handle that so I don’t happen to be exposed to my coworkers non encrypted passwords accidentally :)
-
sakita - Experienced Member
- Posts: 206
- Joined: Mon Aug 17, 2015 2:44 pm
- Location: Arizona, USA
- Has thanked: 93 times
- Been thanked: 80 times
Re: RADIUS Authentication FR
I also would prefer to have these options. If RADIUS is available the switch should use it. Effectively the local password should only come into play when connecting to the switch isolated from the network (or if RADIUS is unreachable / down). The only downside is waiting for the RADIUS timeout
One of the other brands of switches we use has these options:
- TACACS+orLocal
- RADIUSorLocal
- TACACS+
- RADIUS
- Local
When RADIUSorLocal is selected and RADIUS is available the switch will only accept a RADIUS password. Since, in our case, the local password isn't in the database RADIUS is using, this means the local password will not work. It gets passed and rejected. This makes sense and is how I would prefer the Netonix to behave as well
One of the other brands of switches we use has these options:
- TACACS+orLocal
- RADIUSorLocal
- TACACS+
- RADIUS
- Local
When RADIUSorLocal is selected and RADIUS is available the switch will only accept a RADIUS password. Since, in our case, the local password isn't in the database RADIUS is using, this means the local password will not work. It gets passed and rejected. This makes sense and is how I would prefer the Netonix to behave as well
Today is an average day: Worse than yesterday, but better than tomorrow.
4 posts
Page 1 of 1
Who is online
Users browsing this forum: No registered users and 23 guests