Header Only - DO NOT REMOVE - Extreme Networks

Radius Authenticate just Management or Network Access, on SecureStack


Userlevel 3
Article ID: 5677

Products
SecureStack C3
SecureStack C2
Firmware 3.01.94 and lower
SecureStack B3
SecureStack B2
Firmware 1.01.45 and lower
SecureStack A2
Firmware 1.00.27 and lower

Protocols/Features
Radius
UPN

Goals
Radius authenticate just device management access
Radius authenticate just network access
Authenticate to a RADIUS Server
Sample configuration

Cause
In order to permit Radius Authentication to regulate just device Management access or just user Network access, two elements must be configured:

  • A 'management' vs 'network' selection on the Radius server
  • A matching 'management' vs 'network' selection on the managed device
With earlier firmware, SecureStacks can either Radius-authenticate both management and network access, or neither.

Solution
For the C2, upgrade to firmware 3.02.30 or higher.
For the B2, upgrade to firmware 2.00.16 or higher.
For the A2, upgrade to firmware 1.01.20 or higher.

With these firmware versions, the DFE-like 'set radius realm' command is supported.
C2(rw)->set radius realm ?

management-access Sets Access type to management-access
network-access Sets Access type to network-access
any Sets Access type to any-access

C2(rw)->[/code]
Here is a sample partial configuration which authenticates against one server for network users and a different server for management access.
set radius enable
set radius server 1 1.2.3.4 1812 myfirstsecret realm network-access
set radius server 2 1.2.3.5 1812 myothersecret realm management-access[/code]

0 replies

Be the first to reply!

Reply