Questions with using DUO 2FA with Dell N2048p network switches


#1

I have been at this for days now but can’t figure this out. We have purchased some Dell N2048P switches and I am in the process of setting them up. I have setup radius within the duo web portal for 2FA and the push to my phone with the DUO app works fine and I get logged into the switch. I am using [radius_server_auto] in the authproxy.cfg with client=ad_client. My questions are:

  1. What line of code do I need to use on these switches to put myself in the Privileged EXEC mode when logging in? I am having to type my local enable password after I get connected. I have asked Dell Support about this and they say this is a function of the Radius server itself that allows this to happen. I am guessing that I maybe add something to the authproxy.cfg to make this happen? Their actual quote is:

The rest of the configuration will need to be done on the RADIUS side, in this case Duo Security. With enable authentication set to RADIUS, as soon as the command enable is issued on the switch, it will then try to authenticate via the RADIUS server. If the RADIUS server is not configured to handle the enable scenario, then you will not be authenticated. I suggest contacting Duo Security, to see if they are able to accommodate enable authentication.

  1. Logging into into the web interface, I get prompted with the 2FA and I am able to get logged in. However I get a prompt upon logon that says “Please note that you are a level 1 user and do not have configuration privileges. This session is limited to read-only operations.” Any help with this will be appreciated!

#2

I found your conversation about this on the Dell forum. Before that post, had you tried the N series RADIUS instructions here?

We haven’t done any testing with these Dell switches so can’t guide you through the setup on the switch side, but can certainly assist with questions about the Duo proxy’s handling of incoming requests.

So, do you actually see any auth traffic passed to the Duo authentication proxy when you try elevate to the enable prompt?

Have you tried turning on the authentication proxy’s debug logging to get more info about the auth requests?

What username does the enable command send - yours or a generic one (like the $enab15$ user mentioned in the article the Dell tech recommended to you)?

When you say…

What line of code do I need to use on these switches to put myself in the Privileged EXEC mode when logging in?

Do you mean you want to automatically be in privileged mode as soon as you login? The Dell tech who responded to you said…

as soon as the command enable is issued on the switch, it will then try to authenticate via the RADIUS server

Which implies you have to actually issue the enable command on the switch, but it sounds like you expect Duo to issue this command for you somehow? The authentication proxy is going to return an authentication allow or reject to the switch. I noticed the linked article goes through the process of creating a shell:priv-lvl=15 VSA for PowerConnect 3xxx / 5xxx / 6xxx switches. Is this required for the N series? The Duo Authentication Proxy doesn’t support user defined custom VSAs.


#3

Q: "Before that post, had you tried the N series RADIUS instructions here?"
A: Yes, those are actual instructions that I used to setup RADIUS. I had that page open on a tab as I type this already. When I setup the authentication list, and apply that list to the line as outlined in the post, I get authentication failed trying either the local enable password or trying to use the radius password…neither will work at that point.

Q: "So, do you actually see any auth traffic passed to the Duo authentication proxy when you try elevate to the enable prompt?"
A: I have just really starting using the duo proxy so I will need to read and figure out how to look at how to look at the traffic coming to the proxy.

Q: "Have you tried turning on the authentication proxy’s debug logging to get more info about the auth requests?"
A: I have not. I did not know this feature existed but it makes sense that it wold be there. I will try to figure that out as well.

Q: "What username does the enable command send - yours or a generic one (like the enab15 user mentioned in the article the Dell tech recommended to you)?"
A: The only local user that is on the switch is the user admin and this has the enable password set to it. I have tried to create the enable user as outlined in that article but authentication fails.

Q: "Do you mean you want to automatically be in privileged mode as soon as you login? The Dell tech who responded to you said…"
A: Yes, that is what I am trying to accomplish.

Q: "Which implies you have to actually issue the enable command on the switch, but it sounds like you expect Duo to issue this command for you somehow?"
A: I am just trying to not have to type the local enable password to get into privileged mode. After 2FA is successful that is all the authentication that one would need. Whether it be Duo or the switch itself that issues the command doesn’t matter to me as long as it works. Thanks for your help!