Welcome to the new Schneider Electric Community

It's your place to connect with experts and peers, get continuous support, and share knowledge.

  • Explore the new navigation for even easier access to your community.
  • Bookmark and use our new, easy-to-remember address (community.se.com).
  • Get ready for more content and an improved experience.

Contact SchneiderCommunity.Support@se.com if you have any questions.

Close
Invite a Co-worker
Send a co-worker an invite to the Exchange portal.Just enter their email address and we’ll connect them to register. After joining, they will belong to the same company.
Send Invite Cancel
84597members
353864posts

APC8953 local account Issue

APC UPS Data Center & Enterprise Solutions Forum

Schneider Electric support forum for our Data Center and Business Power UPS, UPS Accessories, Software, Services, and associated commercial products designed to share knowledge, installation, and configuration.

Solved
BillP
Administrator Administrator
Administrator
0 Likes
3
322

APC8953 local account Issue

This question was originally posted by Exploitation on APC forums on 5/5/2016


Hello,

Full of hope, i'm trying this forum, looking for any help about this weird issue.

I'm running firmware 6.X on APC8953

I can log in with apc/apc , but as soon as i setup radius authentication, any of the local account failed (and also apc)

On my radius server, i see logs with failed attempted (with login "apc" or any apc local user)

authentication methods are:  "radius" / "radiusLocal" / "local".

I have not used any "override" settings to bypass local or radius authentication.

I did some hard reset (long duration press "reset" button, then once again when led is blinking orange) but the issue still comes out...

For info, radius account work perfectly, and i can manage the APC as an administrator using this authentication.

I'm just afraid that the "apc" account (or any local one) would be unavailable

Any guess for this weird issue ? Any idea of solving method ?

Thanks for your help.

Alex


Accepted Solutions
BillP
Administrator Administrator
Administrator
0 Likes
0
322

Re: APC8953 local account Issue

This reply was originally posted by Angela on APC forums on 5/5/2016


Hi Alex,

What authentication mode do you have configured on your Rack PDU when you see this problem? Maybe I am not understanding and this answer will matter to the behavior. And, which interface are you logging into? (web, telnet, SSH, etc)

The other settings that tie into different behavior in this arena is "Remote Authentication Override" which is a global system setting under Configuration->Security->Session Management and has a corresponding CLI command as well. Then, on a per user basis, you must enable/disable this as well - under Configuration->Security->Local Users->Management and select the apc user account (in this example). If it is disabled on a global level, then it won't matter what the user configuration for this item is because it is disabled at the global level.

These settings may play into the behavior too but pertain to when you try to bypass RADIUS via a serial connection if RADIUS only or RADIUS, then local authentication is configured.

If you configure local authentication only, the local accounts are used.

The only reason I can think of a local account working with RADIUS configured is if the authentication mode is actually set to local only OR RADIUS, then local and RADIUS server is not present on the network.

See Answer In Context

3 Replies 3
BillP
Administrator Administrator
Administrator
0 Likes
0
322

Re: APC8953 local account Issue

This reply was originally posted by Angela on APC forums on 5/5/2016


Hi Alex,

The way our Network Management Card (NMC) enabled devices (like your Rack PDU) work with those different authentication methods are as follows:

  1. RADIUS Only (radius) - The NMC will only try to authenticate via the RADIUS server. We don't typically recommend this because if RADIUS goes down, you are stuck and will have to use serial access (unless you disable that back door or block it on a per user basis.)
  2. RADIUS then local (radiusLocal) - The NMC will try the RADIUS server for authentication and only when the RADIUS server is unreachable over the network, will the NMC try to fall back to authenticating against its local database with the credentials you used. It does not try local authentication when the RADIUS server is accessible and your credentials are wrong.
  3. Local only (local) - The NMC does not use RADIUS at all and authenticates against its local database only.

Based on the above, I am not sure what you're trying to do? You cannot have a RADIUS server running and have the option of doing RADIUS and local. Only RADIUS then local as I described above.

Hope that helps. Let us know if you have any other questions.

BillP
Administrator Administrator
Administrator
0 Likes
0
322

Re: APC8953 local account Issue

This reply was originally posted by Exploitation on APC forums on 5/5/2016


Hi, thanks a lot for this answer.

I thought local accounts didn't use the radius/radiusLocal/local authentication methods.

But if I got what you just told me, local accounts will be available ONLY if radius is down.

Am I right ?

It's a bit disturbing because on other 8953 APCs, i can log in using apc account (local) despite having radius authentication.

Thanks again for your help.

BillP
Administrator Administrator
Administrator
0 Likes
0
323

Re: APC8953 local account Issue

This reply was originally posted by Angela on APC forums on 5/5/2016


Hi Alex,

What authentication mode do you have configured on your Rack PDU when you see this problem? Maybe I am not understanding and this answer will matter to the behavior. And, which interface are you logging into? (web, telnet, SSH, etc)

The other settings that tie into different behavior in this arena is "Remote Authentication Override" which is a global system setting under Configuration->Security->Session Management and has a corresponding CLI command as well. Then, on a per user basis, you must enable/disable this as well - under Configuration->Security->Local Users->Management and select the apc user account (in this example). If it is disabled on a global level, then it won't matter what the user configuration for this item is because it is disabled at the global level.

These settings may play into the behavior too but pertain to when you try to bypass RADIUS via a serial connection if RADIUS only or RADIUS, then local authentication is configured.

If you configure local authentication only, the local accounts are used.

The only reason I can think of a local account working with RADIUS configured is if the authentication mode is actually set to local only OR RADIUS, then local and RADIUS server is not present on the network.