Radius per-command configuration example – Extreme Networks Summit 300-48 User Manual

Authenticating Users

Summit 300-48 Switch Software User Guide

45

eric Password = "", Service-Type = Administrative

Filter-Id = "unlim"

albert

Password = "password", Service-Type = Administrative

Filter-Id = "unlim"

samuel Password = "password", Service-Type = Administrative

Filter-Id = "unlim"

RADIUS Per-Command Configuration Example

Building on this example configuration, you can use RADIUS to perform per-command authentication
to differentiate user capabilities. To do so, use the Extreme-modified RADIUS Merit software that is
available from the Extreme Networks web server at
http://www.extremenetworks.com/extreme/support/otherapps.htm or by contacting Extreme
Networks technical support. The software is available in compiled format for Solaris

™

or Linux

™

operating systems, as well as in source code format. For all clients that use RADIUS per-command
authentication, you must add the following type to the client file:

type:extreme:nas + RAD_RFC + ACCT_RFC

Within the

users

configuration file, additional keywords are available for

Profile-Name

and

Extreme-CLI-Authorization

. To use per-command authentication, enable the CLI authorization

function and indicate a profile name for that user. If authorization is enabled without specifying a valid
profile, the user is unable to perform any commands.

Next, define the desired profiles in an ASCII configuration file called

profiles

. This file contains

named profiles of exact or partial strings of CLI commands. A named profile is linked with a user
through the

users

file. A profile with the

permit on

keywords allows use of only the listed commands.

A profile with the

deny

keyword allows use of all commands except the listed commands.

CLI commands can be defined easily in a hierarchal manner by using an asterisk (*) to indicate any
possible subsequent entry. The parser performs exact string matches on other text to validate
commands. Commands are separated by a comma (,) or newline.

Looking at the following example content in profiles for the profile named

PROFILE1

, which uses the

deny

keyword, the following attributes are associated with the user of this profile:

•

Cannot use any command starting with

enable

.

•

Cannot issue the

disable ipforwarding

command.

•

Cannot issue a

show switch

command.

•

Can perform all other commands.

We know from the

users

file that this applies to the users

albert

and

lulu

. We also know that

eric

is

able to log in, but is unable to perform any commands, because he has no valid profile assigned.

In

PROFILE2

, a user associated with this profile can use any

enable

command, the

clear counter

command and the

show management

command, but can perform no other functions on the switch. We

also know from the

users

file that

gerald

has these capabilities.

The following lists the contents of the file

users

with support for per-command authentication:

user

Password = ""