When I had already dived into RADIUS for wireless network authentication, authorization (and accounting) – AAA – I started to think that it was worth to tinker about moving admin authentication of @work switches to RADIUS too. Netgear managed switches definitely support this – unfortunately neither their Websites, KB, nor the (mostly quite good) Software Administration Manuals for firmware 8.0 and 10.0 mention real-life configuration examples – only 802.1x port authentication.
I had to get inspired by comparing Cisco, Dell PowerConnect (see “P.S.”) documentation and blog post but in the end I hope this make sense for you too:
First things first, define a local admin password and enable password (if your policy or you want to have it
(switch) #enable password (switch) #configure (switch) (Config)#username admin password
Then enter the RADIUS server configuration – and prepare authentication via RADIUS where Netger uses a concept of lists that contain methods of authentication (very close to Cisco IOS too). The first method will be use as long as it does not time out, I put local in there in case no RADIUS server is available. But since my environment was small and I wanted to keep the config files as small as possible I stuck to the default lists which for SSH and Telnet is the ‘networkList’.
(switch) (Config)#radius server host auth <ip|name> port 41812 (switch) (Config)#radius server key auth <ip|name> (switch) (Config)#aaa authentication login "networkList" radius local
Still not getting to privileged mode?
The 10.x-based Netgears should let you authenticate with any user the RADIUS server allows to access, yet it doesn’t allow you to privileged exec mode other than with the local enable password. Here you have at least 3 options where for 2 of them I know how to achieve them:
Use a global enable admin (1)
You can configure ‘enableList’ (or create a enable List on your own) to do radius auth, but then it will ask your Server to verify a user called $enab15$ user (this is actually documented in the CLI manual). Obviously the point of having personal admin acccounts is to have shared global admin passwords agains. This works and is documented in the CLI manual personally but I don’t really like this idea.
Tell the switch that about being an administrative user (2 & 3)
Then you can configure your RADIUS server to inform the switch via additional reply message: “this is an admin, let him/her to privileged mode”. For Netgear the message is Service-Type = Administrative-User – finding this out was possible thanks to similarities with Dell PowerConnect and by trying it out.
(2) If you have your own lists you’ll have to figure out how to configure the switch to work correctly but in case you use the default lists (3), you have to tell your switch to interpret the additional message with:
(switch) (Config)#aaa authorization exec default radius local
For the Web-UI this additional reply message from the RADIUS server is (interestingly!) not required for the Web-UI. Any user your RADIUS-Server sedns “Access-Accept” gets full access to the Web-UI. (I’ll re-check this) Make sure you only let members of your admin group pass at the level of the RADIUS server. If you are ok with this, you only have to tell http method to use radius too:
(switch) (Config)#ip https authentication radius local
Obviously you can send cisco-avpair = “shell:priv-lvl=15” which is what you can do with Cisco Switches – the advantage being that you (should) be able to more granuarly pass privilege level although I haven’t investigated what the different privilege levels other than 15 (admin) means on Netgear.
Finally on 10.x the serial ports (line console) don’t use networkList by default but defaultList – by modifying networkList you obviously leave console to local authentication only – what’s your though on this? If I have physical access to the device should I make it possible to silently try and error network admin passwords or should I make things consistent for all logins?
Differences to pre-10.x firmware
For Firmware 8.0-based switches that can’t be updated to 10.x firmware things are a bit different – and likely 9.0 too according to CLI manuals. I didn’t have any’ 9.x available as all have been legit for 10.x upgrade). The ‘aaa authorizaion’ command didn’t exist back then. Instead of this, create an authentication list and map it to the ssh method. The additionnal message from your RADIUS server thereafter is sufficient to get to enable mode.
aaa auhentication login mylist radius local line ssh (switch) >login authentication mylist
Difference in enable behaviour
Both 8.x/9.x and 10.x will happily pass you to privileged exec mode on a CLI with following differences (with this config, YMMV)
- 10.x will put you directly into privileged exec mode (Prompt: hostname) #) if it has received Service-Type= Administrative-User
- 8.x/9.x will continue asking for the enable command but let you pass without additional password query
- 10.x will NOT let you in without this message – even if the RADIUS-Server has sent ‘Access-Accept’
- 8.x/9.x will let any user to CLI for which it has received an “Access-Accept” – but it will deny privileged exec mode without receiving the additional message from the RADIUS server:
(8.x-switch) >enable Access Denied! You are not authorized to enter into Privilege mode!
In a later post I’ll jot down a sample configuration for basic switch admin authentication for FreeRADIUS, note that Netgears only do the most basic RADIUS authentication method called PAP. With FreeRADIUS this requires you to have passwords store in cleartext in your password database (which is not what AD does but NT hashes) – but there is a workaround for this dilemma at least with AD.
- CLI manuals (remember check for the Manuals specific to your model)
- 10.0 (M5300): ftp://downloads.netgear.com/files/GDC/M5300/M5300_CLI_Aug2012.pdf
- 9.0.2 (GSM722xx): ftp://downloads.netgear.com/files/CLI_9-0-2.pdf
- 8.0.3 (7200 series): ftp://downloads.netgear.com/files/7200_CLI.8.0.3.pdf
- vNetWise: 2008R2 RADIUS Authentication for Dell PowerConnect 6248
P.S. The chances are good that if you have some Dell PowerConnect switches and yet see FASTPATH mentioned in SNMP MIBs, Manuals etc. or you think that the syntax looks very close to Netgear – yes both are running on the same Broadcom FASTPATH software (based on some embedded Linux kernel).
admin July 16, 2013
Posted In: Uncategorized