Wireless (General)

 View Only
Expand all | Collapse all

Configuring command authorization using Windows Radius

  • 1.  Configuring command authorization using Windows Radius

    Posted 11-14-2014 19:48
    Has anyone successful setup command Authorization through a windows radius server?

    I'm using NPS on Server 2012 and would like to start adding command that our tech can use. So far I can only grant Admin or User access through Radius. I found the documentation for setting this up through FreeRadius, but I can't seem to get it working with Windows.



  • 2.  RE: Configuring command authorization using Windows Radius

    Posted 06-16-2015 13:02
    Hi,

    Did you ever figure this out?
    I would be grateful if you could fill me in. I'm currently stuck trying to configure this.


  • 3.  RE: Configuring command authorization using Windows Radius

    Posted 06-16-2015 13:41


  • 4.  RE: Configuring command authorization using Windows Radius

    Posted 06-17-2015 04:49
    Hi,

    No, not really. Administrator access is not the issue.
    I want a specific user to have the right to only specific commands, specifically 'show configuration'.

    Best regards,
    Daniel


  • 5.  RE: Configuring command authorization using Windows Radius

    Posted 06-17-2015 07:45
    AFAIK that is not possible with Windows RADIUS.
    Normaly that kind of different command level access is done with TACACS.

    -Ron


  • 6.  RE: Configuring command authorization using Windows Radius

    Posted 06-17-2015 07:56
    Yes, I'm starting to think it might not be possible.
    But then what is the point of the Extreme VSAs 201 and 202, i.e. Extreme-CLI-Authorization & Extreme-Shell-Command?



  • 7.  RE: Configuring command authorization using Windows Radius

    Posted 06-17-2015 08:11
    OK, might be that I'm wrong.

    In the Extreme XOS Concept Guide 15.4 they talk about "Configuring Command Authorization"...

    "If command authorization is disabled, the user has full access to all CLI commands.
    If commandauthorization is enabled, each command the user enters is accepted or rejected based on the content of the profiles file on the RADIUS server.
    For more information on RADIUS server configuration for command authorization, see Configuring Command Authorization (RADIUS Profiles)."

    Unfortunately the link to "see Configuring Command Authorization (RADIUS Profiles)." in the document isn't working so I haven't found a configuration example.

    -Ron


  • 8.  RE: Configuring command authorization using Windows Radius

    Posted 06-17-2015 08:45
    Yes, that's basically where I got stuck as well :)



  • 9.  RE: Configuring command authorization using Windows Radius

    Posted 06-17-2015 10:00
    FYI
    In the EXOS Concepts guide for older versions, i.e. 12.X, there is a chapter called "Configuring Command Authorization (RADIUS Profiles)". It describes exactly what I want to do, but only when using FreeRADIUS. This chapter is removed in later concepts guide, bu the references to it is still there, just as you said.
    In the ExtremeXOS 15.7 User Guide the references are gone and the "Extreme-Shell-Command" is not even listed.

    //Daniel



  • 10.  RE: Configuring command authorization using Windows Radius

    Posted 07-04-2015 13:15
    Daniel,

    The radius attributes either provide "user" or "admin" rights. XOS (prior to 16.1) only allows for admin and user rights from radius authentication to commands within the CLI. As part of 16.1 release we have added some other options from the CLI but not from radius. The following security enhancements were added in 16.1...
    • Configurable timed lockout that is applied to accounts after a configurable number of failed logon attempts.

    • Stronger hash algorithm for account passwords.

    • Removal of unmasked passwords in the command line interface.

    • Stronger obfuscation of RADIUS and TACACS+ shared secrets.

    • Integrity checking of downloaded images.

    • Syslog alert issued when a configurable percentage of the Syslog memory buffer is filled.

    • Optionally restricting the use of “show log” and “show diagnostics commands by non-administrator accounts.

    • The “safe defaults” script (unconfigured switch startup wizard) enables these new options collectively, as well as forcing the user to change the default administrator and failsafe passwords.



  • 11.  RE: Configuring command authorization using Windows Radius

    Posted 07-04-2015 13:15
    Thanks Bill,

    I have sort of given up getting it to work in the way I described earlier.

    I'm still curios as to what the Extreme VSAs listed below are supposed to be used for, and why VSA 202 is no longer mentioned in the user guides?

    ATTRIBUTE Extreme-CLI-Authorization 201 integer
    ATTRIBUTE Extreme-Shell-Command 202 string

    Best regards,
    Daniel



  • 12.  RE: Configuring command authorization using Windows Radius

    Posted 07-04-2015 13:15
    Hi Daniel,

    These VSA's were used and supporting in older firmware (with limited commands) in FreeRadius server & Merit Radius servers.

    As this was supported with limited commands and only with few Radius servers, we have removed this from EXOS 15.1.3.1 onwards.

    We will work with the concerned team to remove the references wherever necessary.

    Regards,
    Naresh Pendem