Controlling Management Access 175
Figure 9-2. RADIUS Topology
The server can authenticate the user itself or make use of a back-end device to
ascertain authenticity. In either case a response may or may not be
forthcoming to the client. If the server accepts the user, it returns a positive
result with attributes containing configuration information. If the server
rejects the user, it returns a negative result. If the server rejects the client or
the shared
secrets
differ, the server returns no result. If the server requires
additional verification from the user, it returns a challenge, and the request
process begins again.
If you use a RADIUS server to authenticate users, you must configure user
attributes in the user database on the RADIUS server. The user attributes
include the user name, password, and privilege level.
The following example shows an entry in the FreeRADIUS
/etc/raddb/users file that allows a user (name: admin) to log onto the
switch with read/write privileges, which is equivalent to privilege level 15.
admin Auth-Type := Local,
User-Password == "pass1234"
Service-Type = NAS-Prompt-User
NOTE: To set the privilege level, use the Service-Type attribute. Do not
use any vendor-specific attribute value pairs.
`
Management Host
Primary RADIUS Server
Backup RADIUS Server
Management
Network
PowerConnect Switch
To Next Page
Loading...
