Authenticating Users Using RADIUS or TACACS+
ExtremeWare XOS 11.3 Concepts Guide
329
Filter-Id = "unlim"
albert Password = "password", Service-Type = Administrative
Filter-Id = "unlim"
samuel Password = "password", Service-Type = Administrative
Filter-Id = "unlim"
RADIUS Per-Command Configuration Example
Building on this example configuration, you can use RADIUS to perform per-command authentication
to differentiate user capabilities. To do so, use the Extreme-modified RADIUS Merit software that is
available from the Extreme Networks by contacting Extreme Networks technical support. The software
is available in compiled format for Solaris
™
or Linux
™
operating systems, as well as in source code
format. For all clients that use RADIUS per-command authentication, you must add the following type
to the client file:
type:extreme:nas + RAD_RFC + ACCT_RFC
Within the users configuration file, additional keywords are available for Profile-Name and Extreme-
CLI-Authorization
. To use per-command authentication, enable the CLI authorization function and
indicate a profile name for that user. If authorization is enabled without specifying a valid profile, the
user is unable to perform any commands.
Next, define the desired profiles in an ASCII configuration file called
profiles. This file contains
named profiles of exact or partial strings of CLI commands. A named profile is linked with a user
through the
users file. A profile with the permit on keywords allows use of only the listed commands.
A profile with the
deny keyword allows use of all commands except the listed commands.
CLI commands can be defined easily in a hierarchal manner by using an asterisk (*) to indicate any
possible subsequent entry. The parser performs exact string matches on other text to validate
commands. Commands are separated by a comma (,) or newline.
Looking at the following example content in profiles for the profile named
PROFILE1, which uses the
deny keyword, the following attributes are associated with the user of this profile:
â—Ź Cannot use any command starting with enable.
â—Ź Cannot issue the disable ipforwarding command.
â—Ź Cannot issue a show switch command.
â—Ź Can perform all other commands.
We know from the
users file that this applies to the users albert and lulu. We also know that eric is
able to log in, but is unable to perform any commands, because he has no valid profile assigned.
In
PROFILE2, a user associated with this profile can use any enable command, the clear counters
command and the
show management command, but can perform no other functions on the switch. We
also know from the
users file that gerald has these capabilities.
The following lists the contents of the file
users with support for per-command authentication:
user Password = ""
Filter-Id = "unlim"
admin Password = "", Service-Type = Administrative
Filter-Id = "unlim"
To Next Page
Loading...
Need help?
General
