I am configuring a cnMatrix TX2020 “WISP switch”, and would like to have it use RADIUS servers on my network for admin authentication.
We are managing the switch via cnMaestro Cloud, so there shouldn’t be a regular need to login directly to the switch… but I still want to have that as an option, and would like for RADIUS to work.
cnMaestro makes it simple to setup the RADIUS server secrets, but it does not seem to offer an option to use RADIUS for admin login auth. I’ve tried using the “User-Defined Overrides” within the Switch Group that is managing this switch, but that doesn’t seem to work.
I can manually set
login authentication radius local from the CLI on the switch, and this does seem to stay in place even after I make a different change to the Switch Group and sync again… but I’m not sure if this is intended behavior?
So, problem number 1 is that there doesn’t seem to be a way to enable RADIUS-auth for switch administration using cnMaestro and Switch Group config sync. However, I’m able to work-around this for now to test further.
I can get myself logged in to a switch using my RADIUS account. However… I am dumped to an un-privileged command prompt (
> instead of
#), and if I try to
enable, I have no idea what password to use (cnMaestro doesn’t set one, or at least nothing is displayed…).
With Cisco, the RADIUS server needs to set the “Cisco-AVPair” attribute to
shell:priv-lvl=15 for a full admin user, or
shell:priv-lvl=1 for a read-only / guest type user. On JunOS, you have to define a local user account on the switch with the access that you want to use, and then you send back a RADIUS attribute of
Juniper-Local-User-Name set to the local name that represents the access you want the RADIUS user to have.
I’ve already tested, Cambium does not use the same attribute as Cisco… but I assume there is something that can be set in the RADIUS reply that will grant a user a specific privilege level?
Is there a document somewhere that explains all of this functionality with cnMatrix? I am happy to open a support case on this if it would be a better route, but I figured that posting publicly would potentially benefit everyone…