User guide

ManualsBrandsExtreme Networks ManualsComputer equipmentExtremeWare Enterprise Manager

3-18 E

XTREME

ARE

OFTWARE

SER

UIDE

ANAGING

THE

WITCH

compiled format for Solaris

™

or Linux

™

operating systems, as well as in source code

format. For all clients that use RADIUS per-command authentication, you must add the

following type to the client file:

type:extreme:nas + RAD_RFC + ACCT_RFC

Within the

users

configuration file, additional keywords are available for

Profile-Name

and

Extreme-CLI-Authorization

. To use per-command authentication,

enable the CLI authorization function and indicate a profile name for that user. If

authorization is enabled without specifying a valid profile, the user is unable to perform

any commands.

Next, define the desired profiles in an ASCII configuration file called

profiles

. This file

contains named profiles of exact or partial strings of CLI commands. A named profile is

linked with a user through the

users

file. A profile with the

permit on

keywords

allows use of only the listed commands. A profile with the

deny

keyword allows use of

all commands except the listed commands.

CLI commands may be defined easily in a hierarchal manner by using an asterisk (*) to

indicate any possible subsequent entry. The parser performs exact string matches on

other text to validate commands. Commands are separated by a comma (,) or newline.

Looking at the following example content in profiles for the profile named

PROFILE1

which uses the

deny

keyword, the following attributes are associated with the user of

this profile:

• Cannot use any command starting with

enable

• Cannot issue the

disable ipforwarding

command.

• Cannot issue a

show switch

command.

• Can perform all other commands.

We know from the

users

file that this applies to the users

albert

and

lulu

. We also

know that

eric

is able to log in, but is unable to perform any commands, because he

has no valid profile assigned.

PROFILE2

, a user associated with this profile can use any

enable

command, the

clear counter

command and the

show management

command, but can perform no

other functions on the switch. We also know from the

users

file that

gerald

has these

capabilities.

The following lists the contents of the file

users

with support for per-command

authentication: