cancel
Showing results for 
Search instead for 
Did you mean: 

Radius vs TACACS - CLI Authorization

Radius vs TACACS - CLI Authorization

vobelic
New Contributor II
I'm looking to setup authorization based on CLI command with either TACACS or RADIUS.
Apparently RADIUS seems to be a no-go according to this post: https://community.extremenetworks.com/extreme/topics/configuring-command-authorization-using-windows...

TACACS on the other hand has the option in XOS
#enable tacacs-authorizationCan someone confirm this is currently only possible with TACACS and explain why such support is missing from RADIUS with XOS 15.1 onwards?
Afterall, TACACS is Cisco while RADIUS should be open and the preferred way.
8 REPLIES 8

dflouret
Extreme Employee
EXOS per-command authorization works OK if you're willing to use and modify FreeRADIUS.

I did some investigations on a personal basis some time ago. This is very informally documented in this file:
https://www.dropbox.com/s/m4ukvkrl3wyt2qq/EXOS%20Per-Command%20Authentication.docx?dl=0

The document mentions several files that have to be installed in FreeRADIUS and that can be found here:
https://www.dropbox.com/s/e944v2o73404f57/EXOS_PCA_files.zip?dl=0

Be warned, this will work but with no guarantee. Also, Extreme Networks is not involved in any way in this development.

Haven't played with it in a long time, so no guarantees it will work with the latest FreeRADIUS releases.

Feel free to experiment.

Kunlin_Lu
New Contributor
How to deny some commands with TACACS+ on EXOS ?
How to assign admin right to account with TACACS+ ?

Drew_C
Valued Contributor III
Hi Kunlin,
I don't recall how EXOS will handle that since that command requires an admin-level account. If you're able to do some testing, I'd be curious to see what you find out.

Hi Drew

It is work, thanks a lot.

I have one more question
If priv-lvl is not 15 and the user need to exec "show configuration"
How to ?

GTM-P2G8KFN