Authenticating Users
Summit 300-48 Switch Software User Guide 45
eric Password = "", Service-Type = Administrative
Filter-Id = "unlim"
albert Password = "password", Service-Type = Administrative
Filter-Id = "unlim"
samuel Password = "password", Service-Type = Administrative
Filter-Id = "unlim"
RADIUS Per-Command Configuration Example
Building on this example configuration, you can use RADIUS to perform per-command authentication
to differentiate user capabilities. To do so, use the Extreme-modified RADIUS Merit software that is
available from the Extreme Networks web server at
http://www.extremenetworks.com/extreme/support/otherapps.htm or by contacting Extreme
Networks technical support. The software is available in compiled format for Solaris or Linux
operating systems, as well as in source code format. For all clients that use RADIUS per-command
authentication, you must add the following type to the client file:
type:extreme:nas + RAD_RFC + ACCT_RFC
Within the users configuration file, additional keywords are available for Profile-Name and
Extreme-CLI-Authorization. To use per-command authentication, enable the CLI authorization
function and indicate a profile name for that user. If authorization is enabled without specifying a valid
profile, the user is unable to perform any commands.
Next, define the desired profiles in an ASCII configuration file called profiles. This file contains
named profiles of exact or partial strings of CLI commands. A named profile is linked with a user
through the users file. A profile with the permit on keywords allows use of only the listed commands.
A profile with the deny keyword allows use of all commands except the listed commands.
CLI commands can be defined easily in a hierarchal manner by using an asterisk (*) to indicate any
possible subsequent entry. The parser performs exact string matches on other text to validate
commands. Commands are separated by a comma (,) or newline.
Looking at the following example content in profiles for the profile named PROFILE1, which uses the
deny keyword, the following attributes are associated with the user of this profile:
Cannot use any command starting with enable.
Cannot issue the disable ipforwarding command.
Cannot issue a show switch command.
Can perform all other commands.
We know from the users file that this applies to the users albert and lulu. We also know that eric is
able to log in, but is unable to perform any commands, because he has no valid profile assigned.
In PROFILE2, a user associated with this profile can use an y enable command, the clear counter
command and the show management command, but can perform no other functions on the switch. We
also know from the users file that gerald has these capabilities.
The following lists the contents of the file users with support for per-command authentication:
user Password = ""