Hello everyone,
I'm new to the forum and to Alcatel switches. We are deploying several OS in our company, we plan to use RADIUS for authentication.
I setup the radius authentication and it's working fine with vendor specific attributes configured (Alcatel-Lucent-Asa-Access, Alcatel-Lucent-Acce-Priv-F-W1, Alcatel-Lucent-Acce-Priv-F-W2).
I also activated the ASA Enhanced mode. After saving and reloading, I can't do any configuration on the switch. When i try to, it says
> "ERROR: Authorization failed. No functional privileges for this command."
Also, in the documentation I found this statement:
"The user has to re-authenticate before entering to super user mode. The switch verifies whether the user
of the current session has the privilege to access the super user mode. If the user has enough privilege,
then the switch prompts for a password, if not, the switch prompts for the user credentials too with
enough privilege. Only if the authentication is successful, then the user shall be allowed to access the
mode prompt."
Unfortunately I can't figure which is the command to access the super user mode.
The documentation is really lacking here.
Anyone can help? Thank you
Switch ASA enhanced and RADIUS auth issues
Re: Switch ASA enhanced and RADIUS auth issues
not sure about the real function of the enhanced mode in the actual release - have tested it one year ago (with also some problems).
But I think you can only solve the issue with usb disaster recovery to have access again. Than try with the super-user. Otherwise open a ticket at ALE to get the correct way....
best regards
Silvio
But I think you can only solve the issue with usb disaster recovery to have access again. Than try with the super-user. Otherwise open a ticket at ALE to get the correct way....
best regards
Silvio
-
Gleylancer
- Member
- Posts: 156
- Joined: 08 May 2013 03:14
Re: Switch ASA enhanced and RADIUS auth issues
If you still have a local user in the authentication chain (which should always be the case, at least for console, IF configured properly) all you have to do is make the radius server unreachable, then you can login. If there's no such thing in the authentication chain, you locked yourself out.
-Never- configure Radius on the console port and you're safe from things like this happening.
-Never- configure Radius on the console port and you're safe from things like this happening.
Re: Switch ASA enhanced and RADIUS auth issues
Hi All,
thank your for your reply.
I still have a local user, the admin user. Already tried to block radius so that local auth would become available.
I'm able to login in to the switch with admin but I've got the same issues.
As Silvio said, I'm locked out. After digging into the documentation:
According to the manuals, until 8.7R3( included) the allow-config mode is needed to gain access. This needs to be done before changing to enhanced mode:
Switch management guide 8.7R3:
The configuration mode is active only when the switch is in Enhanced Mode. The config-mode user must
be created in the ASA Default Mode before enabling the Enhanced Mode on the switch.
user config-mode-user password *********** read-write all allow-config enable
I'll need to reset the switch and create that config-mode-user.
Thanks for your help!
thank your for your reply.
I still have a local user, the admin user. Already tried to block radius so that local auth would become available.
I'm able to login in to the switch with admin but I've got the same issues.
As Silvio said, I'm locked out. After digging into the documentation:
According to the manuals, until 8.7R3( included) the allow-config mode is needed to gain access. This needs to be done before changing to enhanced mode:
Switch management guide 8.7R3:
The configuration mode is active only when the switch is in Enhanced Mode. The config-mode user must
be created in the ASA Default Mode before enabling the Enhanced Mode on the switch.
user config-mode-user password *********** read-write all allow-config enable
I'll need to reset the switch and create that config-mode-user.
Thanks for your help!
