APC8953 local account Issue

BillP · ‎2021-06-27

Hello,

Full of hope, i'm trying this forum, looking for any help about this weird issue.

I'm running firmware 6.X on APC8953

I can log in with apc/apc , but as soon as i setup radius authentication, any of the local account failed (and also apc)

On my radius server, i see logs with failed attempted (with login "apc" or any apc local user)

authentication methods are: "radius" / "radiusLocal" / "local".

I have not used any "override" settings to bypass local or radius authentication.

I did some hard reset (long duration press "reset" button, then once again when led is blinking orange) but the issue still comes out...

For info, radius account work perfectly, and i can manage the APC as an administrator using this authentication.

I'm just afraid that the "apc" account (or any local one) would be unavailable

Any guess for this weird issue ? Any idea of solving method ?

Thanks for your help.

Alex

BillP · ‎2021-06-27

Hi Alex,

What authentication mode do you have configured on your Rack PDU when you see this problem? Maybe I am not understanding and this answer will matter to the behavior. And, which interface are you logging into? (web, telnet, SSH, etc)

The other settings that tie into different behavior in this arena is "Remote Authentication Override" which is a global system setting under Configuration->Security->Session Management and has a corresponding CLI command as well. Then, on a per user basis, you must enable/disable this as well - under Configuration->Security->Local Users->Management and select the apc user account (in this example). If it is disabled on a global level, then it won't matter what the user configuration for this item is because it is disabled at the global level.

These settings may play into the behavior too but pertain to when you try to bypass RADIUS via a serial connection if RADIUS only or RADIUS, then local authentication is configured.

If you configure local authentication only, the local accounts are used.

The only reason I can think of a local account working with RADIUS configured is if the authentication mode is actually set to local only OR RADIUS, then local and RADIUS server is not present on the network.

See Answer In Context

BillP · ‎2021-06-27

Hi Alex,

The way our Network Management Card (NMC) enabled devices (like your Rack PDU) work with those different authentication methods are as follows:

RADIUS Only (radius) - The NMC will only try to authenticate via the RADIUS server. We don't typically recommend this because if RADIUS goes down, you are stuck and will have to use serial access (unless you disable that back door or block it on a per user basis.)
RADIUS then local (radiusLocal) - The NMC will try the RADIUS server for authentication and only when the RADIUS server is unreachable over the network, will the NMC try to fall back to authenticating against its local database with the credentials you used. It does not try local authentication when the RADIUS server is accessible and your credentials are wrong.
Local only (local) - The NMC does not use RADIUS at all and authenticates against its local database only.

Based on the above, I am not sure what you're trying to do? You cannot have a RADIUS server running and have the option of doing RADIUS and local. Only RADIUS then local as I described above.

Hope that helps. Let us know if you have any other questions.

BillP · ‎2021-06-27

Hi, thanks a lot for this answer.

I thought local accounts didn't use the radius/radiusLocal/local authentication methods.

But if I got what you just told me, local accounts will be available ONLY if radius is down.

Am I right ?

It's a bit disturbing because on other 8953 APCs, i can log in using apc account (local) despite having radius authentication.

Thanks again for your help.

BillP · ‎2021-06-27

Hi Alex,

What authentication mode do you have configured on your Rack PDU when you see this problem? Maybe I am not understanding and this answer will matter to the behavior. And, which interface are you logging into? (web, telnet, SSH, etc)

The other settings that tie into different behavior in this arena is "Remote Authentication Override" which is a global system setting under Configuration->Security->Session Management and has a corresponding CLI command as well. Then, on a per user basis, you must enable/disable this as well - under Configuration->Security->Local Users->Management and select the apc user account (in this example). If it is disabled on a global level, then it won't matter what the user configuration for this item is because it is disabled at the global level.

These settings may play into the behavior too but pertain to when you try to bypass RADIUS via a serial connection if RADIUS only or RADIUS, then local authentication is configured.

If you configure local authentication only, the local accounts are used.

The only reason I can think of a local account working with RADIUS configured is if the authentication mode is actually set to local only OR RADIUS, then local and RADIUS server is not present on the network.