Managing Network Security
EPICenter Concepts and Solutions Guide
110
By default, EPICenter communicates with devices for configuration changes using Telnet and TFTP. You
can optionally configure EPICenter to use Secure Telnet (SSH) and Secure FTP to execute configuration
commands and to upload and download configuration files on your Extreme Networks switches.
Finally, you can secure the communication between EPICenter clients and the EPICenter server itself by
using SSH (HTTPS) instead of the standard HTTP protocol, which is the default.
Using RADIUS for EPICenter User Authentication
Fundamental to the security of your network is controlling who has access to EPICenter itself, and what
actions different EPICenter users can perform. EPICenter provides a built-in authentication and
authorization mechanism through the use of user IDs and passwords, and user roles.
By default, EPICenter authenticates users using its own internal mechanism, based on the user names
and passwords configured in the Administration applet. However, for more robust authentication, or to
avoid maintaining multiple sets of authentication information, EPICenter can function as a RADIUS
client, or, for demonstration purposes, EPICenter can function as a RADIUS server.
Enabling EPICenter as a RADIUS client lets EPICenter use an external RADIUS server to authenticate
users attempting to login to the EPICenter server. At a minimum, the RADIUS server’s “Service type”
attribute must be configured to specify the type of user to be authenticated. A more useful implementation
is to configure the external RADIUS server to return user role information along with the user
authentication.
Enabling EPICenter as a RADIUS server means that EPICenter can act as an authentication service for
Extreme switches or other devices acting as RADIUS clients. This feature may be useful in demonstration
or test environments where a more robust authentication service is not needed. However, EPICenter’s
RADIUS server is not sufficiently robust to serve as a primary RADIUS server in a production
environment. If RADIUS authentication is needed, an external RADIUS server should be used, and
EPICenter should be configured as a RADIUS client.
Configuring a RADIUS Server for EPICenter User Authentication
EPICenter uses administrator roles to determine who can access and control your Extreme Networks
network equipment through EPICenter. A user’s role determines what actions the administrative user is
allowed to perform, through EPICenter or directly on the switch. When users are authenticated through
EPICenter’s built-in login process, EPICenter knows what role each user is assigned, and grant access
accordingly.
If users are going to be authenticated by an outside RADIUS authentication service, then that service
needs to provide role information along with the user’s authentication status. In the simplest case,
which is that users will always use one of the pre-defined roles that are built into EPICenter, you can
configure the RADIUS server with a Service Type attribute to specify one of the built-in administrator
roles.
If you have created your own custom roles, you can set a Vendor-Specific Attribute (VSA) to send the
appropriate role information along with the authentication status of the user.
There are a number of steps required to set up your RADIUS server to provide authentication and
authorization for EPICenter users. The following provides an overview of the process. A detailed
example can be found in Appendix D, “Configuring RADIUS for EPICenter Authentication”.
● Configure EPICenter (via the Admin applet) to act as a RADIUS client.
To Next Page
Loading...
Need help?
General
