Freeradius setup - version??

  • 7 January 2014
  • 14 replies

Userlevel 4
Create Date: Oct 5 2012 9:32AM

Hello, I am attempting to set up freeradius with my switches according to: ExtremeXOS® Concepts Guide Software Version 15.2

Especially the section regarding the profiles:

"Command authorization is also managed on a RADIUS server by editing text files. On a FreeRADIUS
server, the profiles file is divided into sections called profiles. Each profile lists command access
definitions. In the users file, you can use the Profile-Name attribute to select the command profile that
applies to each user managed by command authorization."

I have simply installed freeradius from yum version 2.1.10-5, but there are NO "profiles" file. Therefore in order to follow the guide, I need to know what version of freeradius is being used as it is not mentioned anywhere in the document.

Can you tell me which version of freeradius is used in the guide? Or how I can get around this?

Thank you

(from No_Shankus)

14 replies

Userlevel 4
Create Date: Oct 5 2012 1:56PM

Hey Noshankus

We usually recommend FreeRADIUS
I will try and upload a doc that helps show how to configure freeradius.

P (from Paul_Russo)
Userlevel 4
Create Date: Oct 5 2012 2:51PM

That would be great thank you.

What I am interested in is the configuration of both freeradius (freeradius-2.1.10-5.el6.x86_64) on Redhat and various/any extremeos switches where I can perform per-command authentication.

I understand that the switch in general has only two access levels; administrator and readonly. What I am trying to achieve is to have a "per-command" authentication implemented where specific commands may be executed if the users are authenticated to do so in freeradius.

If freeradius is not suitable for this, please let me know what other radius software I can use to implement the "per-command" authentication.

Thank you for your time 🙂 (from No_Shankus)
Userlevel 4
Create Date: Oct 5 2012 4:13PM

Hello Noshankus

I am currently having issues uploading files. I have a case open to see what the issue is and once resolved will post some docs that I hope helps point you in the right direction.

Hopefully I will have an update soon

(from Paul_Russo)
Userlevel 4
Create Date: Oct 8 2012 10:01AM

Great, thank you again. (from No_Shankus)
Userlevel 4
Create Date: Oct 9 2012 11:17AM

Hi Prusso,

any news yet on whether it's possible? (from No_Shankus)
Userlevel 4
Create Date: Oct 9 2012 2:20PM

Hi Prusso,

In "ExtremeWare XOS 11.5 Concepts Guide" it says on page 425:
"Extreme Networks provides its users, free of charge, a radius server based on Merit RADIUS. Extreme
RADIUS provides per-command authentication capabilities in addition to the standard set of radius
"When Extreme RADIUS is up and running, the two most commonly changed files will be users and
profiles. The users file contains entries specifying login names and the profiles used for per-command
authentication after they have logged in."

However, there is no mention of this in "ExtremeXOS Concepts Guide, Software Version 15.2", but on page 886:
"Command authorization is enabled in the users file on a FreeRADIUS server, and configured in the
profiles file."

The problem is that there is no "profiles" file in freeradius... Please let me know if in order to use authentication for specific commands, if I have to use the Extreme Radius instead of freeradius.

Please clarify and thank you for your time 🙂 (from No_Shankus)
Userlevel 4
Create Date: Oct 9 2012 2:36PM

Hi Prusso,

if I must use "Extreme Radius" instead of freeradius, can you please let me know a link so that I may download for Redhat 6 x86_64. An rpm would be preferable.
I cannot find any information about it. (from No_Shankus)
Userlevel 4
Create Date: Oct 9 2012 5:33PM

Hello Noshankus

The 11.5 code is very old and we do not have an Extreme Radius. I am still not able to upload so I placed this on our FTP site.

go to User name is northcentral password is "password"
When logged in change directory to northcentral it is a hidden directory.
Pleas grab the file freeradius.pdf

Hope this helps
P (from Paul_Russo)
Userlevel 4
Create Date: Oct 10 2012 11:21AM

Thanks Prusso,

however, it looks to be cut short.
The final page (page 7) ends with:
"If the RADIUS server does not specify a destination VLAN, the port moves to"....

but nothing else.

Also, there is no mention of the command authorisation.

Could you please re-check and re-upload?

Thanks for your time. (from No_Shankus)
Userlevel 4
Create Date: Oct 10 2012 2:07PM

Sorry about that. I tried to just get the min of the document. I grabbed the whole chapter on netlogin. It is the same name same login.

P (from Paul_Russo)
Userlevel 4
Create Date: Oct 11 2012 8:31AM

Hi Prusso,

I appreciate your help, thank you. However, this does not explain what I'm asking for.
I'm looking for the part about: "Configuring Command Authorization" using freeradius.

Please see page 886 in:
which was:
"Published: August 2012"

There are 4 files to configure:
"users", "dictionary" and "clients" --> no problem
"profiles" --> doesn't seem to exist in freeradius

Which leads me to believe that it's not possible, although the documentation is saying the contrary.

I'd appreciate it if you could clear that up - or provide another excerpt from that same document that details that configuration with freeradius. Likely, it doesn't involve a profiles file, but something else perhaps? (from No_Shankus)
Userlevel 4
Create Date: Oct 11 2012 2:27PM

Sorry Noshankus

I do not have any other documentation other than how to setup the switch not on the radius server.

Not sure what else to suggest except to find a FreeRadius support group or admin.

Sorry it wasn't more help.

P (from Paul_Russo)
Userlevel 4
Create Date: Oct 11 2012 2:54PM

Hi Prusso,

unfortunately, the issue is not with freeradius, but with extreme. Possibly it is just misleading documentation.
I will go through normal support to find a resolution.

Thank you for your help. (from No_Shankus)
Userlevel 4
Create Date: Oct 11 2012 5:22PM

good luck

If the response is not what you want from TAC don't for get you can escalate via a duty manager.

P (from Paul_Russo)