Has anyone successful setup command Authorization through a windows radius server?
I'm using NPS on Server 2012 and would like to start adding command that our tech can use. So far I can only grant Admin or User access through Radius. I found the documentation for setting this up through FreeRadius, but I can't seem to get it working with Windows.
is that what you are looking for....
In the Extreme XOS Concept Guide 15.4 they talk about "Configuring Command Authorization"...
"If command authorization is disabled, the user has full access to all CLI commands.
If commandauthorization is enabled, each command the user enters is accepted or rejected based on the content of the profiles file on the RADIUS server.
For more information on RADIUS server configuration for command authorization, see Configuring Command Authorization (RADIUS Profiles)."
Unfortunately the link to "see Configuring Command Authorization (RADIUS Profiles)." in the document isn't working so I haven't found a configuration example.
In the EXOS Concepts guide for older versions, i.e. 12.X, there is a chapter called "Configuring Command Authorization (RADIUS Profiles)". It describes exactly what I want to do, but only when using FreeRADIUS. This chapter is removed in later concepts guide, bu the references to it is still there, just as you said.
In the ExtremeXOS 15.7 User Guide the references are gone and the "Extreme-Shell-Command" is not even listed.
The radius attributes either provide "user" or "admin" rights. XOS (prior to 16.1) only allows for admin and user rights from radius authentication to commands within the CLI. As part of 16.1 release we have added some other options from the CLI but not from radius. The following security enhancements were added in 16.1...
• Configurable timed lockout that is applied to accounts after a configurable number of failed logon attempts.
• Stronger hash algorithm for account passwords.
• Removal of unmasked passwords in the command line interface.
• Stronger obfuscation of RADIUS and TACACS+ shared secrets.
• Integrity checking of downloaded images.
• Syslog alert issued when a configurable percentage of the Syslog memory buffer is filled.
• Optionally restricting the use of “show log” and “show diagnostics commands by non-administrator accounts.
• The “safe defaults” script (unconfigured switch startup wizard) enables these new options collectively, as well as forcing the user to change the default administrator and failsafe passwords.