Configuring command authorization using Windows Radius

  • 0
  • 2
  • Question
  • Updated 3 years ago
  • Answered

Has anyone successful setup command Authorization through a windows radius server?

I'm using NPS on Server 2012 and would like to start adding command that our tech can use. So far I can only grant Admin or User access through Radius. I found the documentation for setting this up through FreeRadius, but I can't seem to get it working with Windows.

Photo of Forrest Darst

Forrest Darst

  • 80 Points 75 badge 2x thumb

Posted 4 years ago

  • 0
  • 2
Photo of Daniel Warhammar

Daniel Warhammar

  • 164 Points 100 badge 2x thumb
Hi,

Did you ever figure this out?
I would be grateful if you could fill me in. I'm currently stuck trying to configure this.
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 48,846 Points 20k badge 2x thumb
Photo of Daniel Warhammar

Daniel Warhammar

  • 164 Points 100 badge 2x thumb
Hi,

No, not really. Administrator access is not the issue.
I want a specific user to have the right to only specific commands, specifically 'show configuration'.

Best regards,
Daniel
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 48,846 Points 20k badge 2x thumb
AFAIK that is not possible with Windows RADIUS.
Normaly that kind of different command level access is done with TACACS.

-Ron
Photo of Daniel Warhammar

Daniel Warhammar

  • 164 Points 100 badge 2x thumb
Yes, I'm starting to think it might not be possible.
But then what is the point of the Extreme VSAs 201 and 202, i.e. Extreme-CLI-Authorization & Extreme-Shell-Command?
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 48,846 Points 20k badge 2x thumb
OK, might be that I'm wrong.

In the Extreme XOS Concept Guide 15.4 they talk about "Configuring Command Authorization"...

"If command authorization is disabled, the user has full access to all CLI commands.
If commandauthorization is enabled, each command the user enters is accepted or rejected based on the content of the profiles file on the RADIUS server.
For more information on RADIUS server configuration for command authorization, see Configuring Command Authorization (RADIUS Profiles)."

Unfortunately the link to "see Configuring Command Authorization (RADIUS Profiles)." in the document isn't working so I haven't found a configuration example.

-Ron
Photo of Daniel Warhammar

Daniel Warhammar

  • 164 Points 100 badge 2x thumb
Yes, that's basically where I got stuck as well :)
Photo of Daniel Warhammar

Daniel Warhammar

  • 164 Points 100 badge 2x thumb
FYI
In the EXOS Concepts guide for older versions, i.e. 12.X, there is a chapter called "Configuring Command Authorization (RADIUS Profiles)". It describes exactly what I want to do, but only when using FreeRADIUS. This chapter is removed in later concepts guide, bu the references to it is still there, just as you said.
In the ExtremeXOS 15.7 User Guide the references are gone and the "Extreme-Shell-Command" is not even listed.

//Daniel
Photo of Bill Stritzinger

Bill Stritzinger, Alum

  • 6,036 Points 5k badge 2x thumb
Daniel, 

The radius attributes either provide "user" or "admin" rights.  XOS (prior to 16.1) only allows for admin and user rights from radius authentication to commands within the CLI.  As part of 16.1 release we have added some other options from the CLI but not from radius.  The following security enhancements were added in 16.1...
• Configurable timed lockout that is applied to accounts after a configurable number of failed logon attempts.

• Stronger hash algorithm for account passwords.

• Removal of unmasked passwords in the command line interface.

• Stronger obfuscation of RADIUS and TACACS+ shared secrets.

• Integrity checking of downloaded images.

• Syslog alert issued when a configurable percentage of the Syslog memory buffer is filled.

• Optionally restricting the use of “show log” and “show diagnostics commands by non-administrator accounts.

• The “safe defaults” script (unconfigured switch startup wizard) enables these new options collectively, as well as forcing the user to change the default administrator and failsafe passwords.
Photo of Daniel Warhammar

Daniel Warhammar

  • 164 Points 100 badge 2x thumb
Thanks Bill,

I have sort of given up getting it to work in the way I described earlier.

I'm still curios as to what the Extreme VSAs listed below are supposed to be used for, and why VSA 202 is no longer mentioned in the user guides?

ATTRIBUTE Extreme-CLI-Authorization 201 integer
ATTRIBUTE Extreme-Shell-Command 202 string


Best regards,
Daniel
Photo of Naresh Kumar Pendem

Naresh Kumar Pendem, Alum

  • 80 Points 75 badge 2x thumb
Hi Daniel,

These VSA's were used and supporting in older firmware (with limited commands) in FreeRadius server & Merit Radius servers.

As this was supported with limited commands and only with few Radius servers, we have removed this from EXOS 15.1.3.1 onwards.

We will work with the concerned team to remove the references wherever necessary.

Regards,
Naresh Pendem