Reply
Highlighted
New Member
Posts: 26
Registered: ‎10-01-2018
Solutions: 2

ES48 1.8.1 radius login config

Looking for some help with configuring radius login capability. I'm pretty new to these switches and still new to the CLI. I already have a NPS created and set up with a Connection Request Policy, Network Policy, and the switch as a radius client. I also have the Cisco-AV-Pair shellMan Tongueriv-lvl=15 attribute configured. All help is greatly appreciated. 

Ubiquiti Employee
Posts: 2,490
Registered: ‎05-08-2017
Kudos: 446
Solutions: 364

Re: ES48 1.8.1 radius login config

Hi @montgomery001,

 

Please have a look at the thread here.

 

-Ben


Ben Pin - EdgeMAX Support

New Member
Posts: 26
Registered: ‎10-01-2018
Solutions: 2

Re: ES48 1.8.1 radius login config

Apologies for taking so long to reply, I finally had the time to give this a shot. I did exactly as @UBNT-benpin pointed with no luck. Here are the exact commands i used

Spoiler
login via ssh
enable then password
configure
radius server host auth 192.168.24.28 name nps port 1812 radius server key auth 192.168.24.28
Enter PSK twice radius server primary 192.168.24.28 ip http authentication local radius ip https authentication local radius
exit
copy system:running-config nvram:startup-config

After that i checked the legacy GUI and under System>AAA> Authentication list it shows httplist and httpslist as local,radius under method options. Under list type it shows default. I have checked the NPS server event logs and show no events coming from the switch. I have my router pointed to the same NPS and can see logs for that. Im sure that the switch is added as a radius client in the NPS, and the apporiate Connection Request and Network Policies are correct. I would be more than happy to post pics of the policy configs if anyone wants. Also i would like to be able to ENABLE and SSH into the switch with the same process if possible. I have also made sure that the port and protocol is open on the NPS server firewall. Any help is greatly apperciated. 

Ubiquiti Employee
Posts: 2,490
Registered: ‎05-08-2017
Kudos: 446
Solutions: 364

Re: ES48 1.8.1 radius login config

Hi @montgomery001,

 

Can you attach the (sanitized) configuration of the EdgeSwitch? We have an article here on how to download the backup configuration file.

 

-Ben


Ben Pin - EdgeMAX Support

New Member
Posts: 26
Registered: ‎10-01-2018
Solutions: 2

Re: ES48 1.8.1 radius login config

@UBNT-benpin thanks for the reply and the help. Attached is the sanitized config. It appears to me going throug it that the commands took. Before deleting i verified that the PSK in the config was the same as on the NPS. Maybe it could be something on the NPS side. Do you know of any post or articles that could possibly help me find the misconfiguration if not in the switch? Also what configuration needs to happen to make the user account have enable rights?

 

Thanks again for all the help. 

Ubiquiti Employee
Posts: 2,490
Registered: ‎05-08-2017
Kudos: 446
Solutions: 364

Re: ES48 1.8.1 radius login config

Hi @montgomery001,

 

Thanks again for the configuration file.

 

You don't seem to have added AAA authentication and authorization to the device. This is necessary to specify the login method that will be used by default (local login is set by default on all lines). There are some example configs in the thread I linked earlier.

 

You can either use the default list name (which applies AAA login to all lines) or use your own custom list name and then decide where it needs to be applied. An example of a custom list name (aaa-list) is:

 

aaa authentication login aaa-list local radius
aaa authorization exec aaa-list local radius
aaa accounting exec aaa-list start-stop radius

line ssh
 accounting exec aaa-list
 login authentication aaa-list
 authorization exec aaa-list  
 exit

line telnet
 accounting exec aaa-list
 login authentication aaa-list
 authorization exec aaa-list  
 exit

ip http accounting exec aaa-list
ip http authentication local radius
 
ip https accounting exec aaa-list
ip https authentication local radius

 

If you also want to use RADIUS accounting, you will need to add:

 

radius accounting mode
radius server host acct 192.168.24.28 name nps port 1813
radius server key acct 192.168.24.28

 

If you want authenticated users to end up in privileged (#) mode instead of user (>) mode, also add the Cisco-AV-Pair attribute.

 

There is an example image in the post here.

 

Note that RADIUS and TACACS+ authentication currently only work with the lines (Telnet / SSH / Console) and the legacy Web UI.

 

-Ben


Ben Pin - EdgeMAX Support

New Member
Posts: 26
Registered: ‎10-01-2018
Solutions: 2

Re: ES48 1.8.1 radius login config

Thank you so much @UBNT-benpin for all the help. I was able to get it working. I can log into the GUI with radius and SSH with radius right to enable mode. However if i exit to user mode I'm not able to enable again. This is not a huge deal though. Added another backup just incase there is something that I'm missing. 

Ubiquiti Employee
Posts: 2,490
Registered: ‎05-08-2017
Kudos: 446
Solutions: 364

Re: ES48 1.8.1 radius login config

Glad that you were able to get it working!

 

The enable password is a separate authentication method. Looking at the NPS server, you will see a similar log message:

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			NULL SID
	Account Name:			$enab15$
	Account Domain:			WIN2016
	Fully Qualified Account Name:	WIN2016\$enab15$

 

This means that you will need to create a separate user account named $enab15$ and associate it with a password. Another option is to set a local enable password on the switch itself:

EdgeSwitch) #enable password ?

<cr>                     Press enter to execute the command.
<password>               Specify the password.

 

In your config, the enable password is checked first, If it does not exist, the request will be forwarded to the RADIUS server.

 

-Ben


Ben Pin - EdgeMAX Support

Reply