This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Configuring command authorization using Windows Radius

Configuring command authorization using Windows Radius

Forrest_Darst
New Contributor

‎11-14-2014 07:48 PM

Has anyone successful setup command Authorization through a windows radius server?

I'm using NPS on Server 2012 and would like to start adding command that our tech can use. So far I can only grant Admin or User access through Radius. I found the documentation for setting this up through FreeRadius, but I can't seem to get it working with Windows.

11 REPLIES 11

Bill_Stritzinge
Extreme Employee

‎07-04-2015 01:15 PM

Daniel,

The radius attributes either provide "user" or "admin" rights. XOS (prior to 16.1) only allows for admin and user rights from radius authentication to commands within the CLI. As part of 16.1 release we have added some other options from the CLI but not from radius. The following security enhancements were added in 16.1...
• Configurable timed lockout that is applied to accounts after a configurable number of failed logon attempts.

• Stronger hash algorithm for account passwords.

• Removal of unmasked passwords in the command line interface.

• Stronger obfuscation of RADIUS and TACACS+ shared secrets.

• Integrity checking of downloaded images.

• Syslog alert issued when a configurable percentage of the Syslog memory buffer is filled.

• Optionally restricting the use of “show log” and “show diagnostics commands by non-administrator accounts.

• The “safe defaults” script (unconfigured switch startup wizard) enables these new options collectively, as well as forcing the user to change the default administrator and failsafe passwords.

0 Kudos

Naresh_Kumar_Pe
Extreme Employee
In response to Bill_Stritzinge

‎07-04-2015 01:15 PM

Hi Daniel,

These VSA's were used and supporting in older firmware (with limited commands) in FreeRadius server & Merit Radius servers.

As this was supported with limited commands and only with few Radius servers, we have removed this from EXOS 15.1.3.1 onwards.

We will work with the concerned team to remove the references wherever necessary.

Regards,
Naresh Pendem

0 Kudos

digiwar
New Contributor
In response to Bill_Stritzinge

‎07-04-2015 01:15 PM

Thanks Bill,

I have sort of given up getting it to work in the way I described earlier.

I'm still curios as to what the Extreme VSAs listed below are supposed to be used for, and why VSA 202 is no longer mentioned in the user guides?

ATTRIBUTE Extreme-CLI-Authorization 201 integer
ATTRIBUTE Extreme-Shell-Command 202 string

Best regards,
Daniel

0 Kudos

digiwar
New Contributor

‎06-17-2015 10:00 AM

FYI
In the EXOS Concepts guide for older versions, i.e. 12.X, there is a chapter called "Configuring Command Authorization (RADIUS Profiles)". It describes exactly what I want to do, but only when using FreeRADIUS. This chapter is removed in later concepts guide, bu the references to it is still there, just as you said.
In the ExtremeXOS 15.7 User Guide the references are gone and the "Extreme-Shell-Command" is not even listed.

//Daniel

0 Kudos
GTM-P2G8KFN