Merge remote-tracking branch 'origin/stage'

CumulusNetworks · Jan 30, 2025 · 785fc8c · 785fc8c
2 parents e9faa62 + e64248c
commit 785fc8c
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 28 deletions.
diff --git a/.../System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md b/.../System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md
@@ -196,44 +196,57 @@ A flat file mapping derives from the session number assigned during login, which
 
 ## Local Fallback Authentication
 
-{{%notice note%}}
-NVUE does not provide commands to configure local fallback authentication.
-{{%/notice%}}
+If a site wants to allow local fallback authentication for a user when none of the RADIUS servers are reachable, you can add a privileged user account as a local account on the switch.
 
-If a site wants to allow local fallback authentication for a user when none of the RADIUS servers are reachable, you can add a privileged user account as a local account on the switch. The local account must have the same unique identifier as the privileged user and the shell must be the same.
+To configure an account for local fallback authentication:
 
-To configure local fallback authentication:
+1. Add a local user account with the desired role and permissions as described in {{<link url="User-Accounts#add-a-new-user-account" text="Add a New User Account">}}.
 
-1. Add a local privileged user account. For example, if the `radius_priv_user` account in the `/etc/passwd` file is `radius_priv_user:x:1002:1001::/home/radius_priv_user:/sbin/radius_shell`, run the following command to add a local privileged user account named `johnadmin`:
+2. To ensure the local user account password will authenticate the user only when none of the RADIUS servers are reachable, configure the {{<link url="RADIUS-AAA#required-radius-client-configuration" text="authentication order">}} such that RADIUS has a preferred priority over local authentication:
 
-    ```
-    cumulus@switch:~$ sudo useradd -u 1002 -g 1001 -o -s /sbin/radius_shell johnadmin
-    ```
+{{< tabs "TabID211 ">}}
+{{< tab "NVUE Commands ">}}
+```
+cumulus@switch:~$ nv set system aaa authentication-order 10 radius
+cumulus@switch:~$ nv set system aaa authentication-order 20 local
+```
 
-2. To enable the local privileged user to run `sudo` and NVUE commands, run the following commands:
+{{< /tab >}}
+{{< tab "Linux Commands ">}}
 
-    ```
-    cumulus@switch:~$ sudo adduser johnadmin nvset
-    cumulus@switch:~$ sudo adduser johnadmin nvapply
-    cumulus@switch:~$ sudo adduser johnadmin sudo
-    cumulus@switch:~$ sudo systemctl restart nvued
-    ```
+Configure the `passwd` line in the `/etc/nsswitch.conf` file to place `files` after `mapuid` in the authentication order:
 
-3. Edit the `/etc/passwd` file to move the local user line before to the `radius_priv_user` line:
+```
+cumulus@switch:~$ vi /etc/nsswitch.conf 
 
-    ```
-    cumulus@switch:~$ sudo vi /etc/passwd
-    ...
-    johnadmin:x:1002:1001::/home/johnadmin:/sbin/radius_shell
-    radius_priv_user:x:1002:1001::/home/radius_priv_user:/sbin/radius_shell
-    ```
+# /etc/nsswitch.conf
+#
+# Example configuration of GNU Name Service Switch functionality.
+# If you have the `glibc-doc-reference' and `info' packages installed, try:
+# `info libc "Name Service Switch"' for information about this file.
+
+passwd:         mapuid files mapname
+group:          mapname files
+shadow:         files
+gshadow:        files
 
-4. To set the local password for the local user, run the following command:
+hosts:          files dns
+networks:       files
 
-    ```
-    cumulus@switch:~$ sudo passwd johnadmin
-    ```
+protocols:      db files
+services:       db files
+ethers:         db files
+rpc:            db files
 
+netgroup:       nis
+```
+
+{{< /tab >}}
+{{< /tabs >}}
+
+{{%notice note%}}
+If you configure the authentication order to prefer local authentication before RADIUS, both the local user account password and the password configured on the RADIUS server can be used to authenticate the user when the RADIUS servers are reachable.  
+{{%/notice%}}
 ## RADIUS User Command Accounting
 
 RADIUS user command accounting lets you log every command that a user runs and send the commands to the primary RADIUS server for auditing. Audit logs are a requirement for compliance standards, such as PCI and HIPPA.

diff --git a/...lus-linux-512/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md b/...lus-linux-512/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md
@@ -1391,7 +1391,7 @@ When you configure BGP PIC, Cumulus Linux assigns one next hop group for each so
 - Cumulus Linux does not support BGP PIC with EVPN, MLAG, or VRF route leaking.
 - Do not configure PIC if you have configured EVPN.
 - You can configure PIC on the default VRF only.
-- BGP PIC only redistributes the switch loopback address in addition to the host prefixes from the leaf. NVIDIA does not recommend redistributing interface addresses into BGP when you enable PIC.
+- NVIDIA recommends that you do not redistribute interface addresses into BGP when you enable PIC.
 - Do not configure the router ID and network address with the same value.
 - The BGP router ID and the aggregate address must not be in the same subnet.
 - Do not use martian addresses as the BGP router ID when you enable PIC.