Configuring command authorization using Windows Radius
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
11-14-2014 07:48 PM
Has anyone successful setup command Authorization through a windows radius server?
I'm using NPS on Server 2012 and would like to start adding command that our tech can use. So far I can only grant Admin or User access through Radius. I found the documentation for setting this up through FreeRadius, but I can't seem to get it working with Windows.
I'm using NPS on Server 2012 and would like to start adding command that our tech can use. So far I can only grant Admin or User access through Radius. I found the documentation for setting this up through FreeRadius, but I can't seem to get it working with Windows.
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-04-2015 01:15 PM
Daniel,
The radius attributes either provide "user" or "admin" rights. XOS (prior to 16.1) only allows for admin and user rights from radius authentication to commands within the CLI. As part of 16.1 release we have added some other options from the CLI but not from radius. The following security enhancements were added in 16.1...
• Configurable timed lockout that is applied to accounts after a configurable number of failed logon attempts.
• Stronger hash algorithm for account passwords.
• Removal of unmasked passwords in the command line interface.
• Stronger obfuscation of RADIUS and TACACS+ shared secrets.
• Integrity checking of downloaded images.
• Syslog alert issued when a configurable percentage of the Syslog memory buffer is filled.
• Optionally restricting the use of “show log” and “show diagnostics commands by non-administrator accounts.
• The “safe defaults” script (unconfigured switch startup wizard) enables these new options collectively, as well as forcing the user to change the default administrator and failsafe passwords.
The radius attributes either provide "user" or "admin" rights. XOS (prior to 16.1) only allows for admin and user rights from radius authentication to commands within the CLI. As part of 16.1 release we have added some other options from the CLI but not from radius. The following security enhancements were added in 16.1...
• Configurable timed lockout that is applied to accounts after a configurable number of failed logon attempts.
• Stronger hash algorithm for account passwords.
• Removal of unmasked passwords in the command line interface.
• Stronger obfuscation of RADIUS and TACACS+ shared secrets.
• Integrity checking of downloaded images.
• Syslog alert issued when a configurable percentage of the Syslog memory buffer is filled.
• Optionally restricting the use of “show log” and “show diagnostics commands by non-administrator accounts.
• The “safe defaults” script (unconfigured switch startup wizard) enables these new options collectively, as well as forcing the user to change the default administrator and failsafe passwords.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-04-2015 01:15 PM
Hi Daniel,
These VSA's were used and supporting in older firmware (with limited commands) in FreeRadius server & Merit Radius servers.
As this was supported with limited commands and only with few Radius servers, we have removed this from EXOS 15.1.3.1 onwards.
We will work with the concerned team to remove the references wherever necessary.
Regards,
Naresh Pendem
These VSA's were used and supporting in older firmware (with limited commands) in FreeRadius server & Merit Radius servers.
As this was supported with limited commands and only with few Radius servers, we have removed this from EXOS 15.1.3.1 onwards.
We will work with the concerned team to remove the references wherever necessary.
Regards,
Naresh Pendem
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-04-2015 01:15 PM
Thanks Bill,
I have sort of given up getting it to work in the way I described earlier.
I'm still curios as to what the Extreme VSAs listed below are supposed to be used for, and why VSA 202 is no longer mentioned in the user guides?
ATTRIBUTE Extreme-CLI-Authorization 201 integer
ATTRIBUTE Extreme-Shell-Command 202 string
Best regards,
Daniel
I have sort of given up getting it to work in the way I described earlier.
I'm still curios as to what the Extreme VSAs listed below are supposed to be used for, and why VSA 202 is no longer mentioned in the user guides?
ATTRIBUTE Extreme-CLI-Authorization 201 integer
ATTRIBUTE Extreme-Shell-Command 202 string
Best regards,
Daniel
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-17-2015 10:00 AM
FYI
In the EXOS Concepts guide for older versions, i.e. 12.X, there is a chapter called "Configuring Command Authorization (RADIUS Profiles)". It describes exactly what I want to do, but only when using FreeRADIUS. This chapter is removed in later concepts guide, bu the references to it is still there, just as you said.
In the ExtremeXOS 15.7 User Guide the references are gone and the "Extreme-Shell-Command" is not even listed.
//Daniel
In the EXOS Concepts guide for older versions, i.e. 12.X, there is a chapter called "Configuring Command Authorization (RADIUS Profiles)". It describes exactly what I want to do, but only when using FreeRADIUS. This chapter is removed in later concepts guide, bu the references to it is still there, just as you said.
In the ExtremeXOS 15.7 User Guide the references are gone and the "Extreme-Shell-Command" is not even listed.
//Daniel
