Manualshelf

Specifications

ManualsBrandsExtreme Networks ManualsComputer equipmentExtremeWare XOS Command
161162163164165166167168169170
Authenticating Users Using RADIUS or TACACS+
ExtremeWare XOS 11.0 Concepts Guide 169
Per Command Authentication Using RADIUS
You can use the RADIUS implementation to perform per command authentication. Per command
authentication allows you to define several levels of user capabilities by controlling the permitted
command sets based on the RADIUS user name and password.
You do not need to configure any additional switch parameters to take advantage of this capability. The
RADIUS server implementation automatically negotiates the per command authentication capability
with the switch.
Configuring RADIUS
You can define primary and secondary server communication information and, for each RADIUS server,
the RADIUS port number to use when talking to the RADIUS server. The default port value is 1812 for
authentication and 1813 for accounting. The client IP address is the IP address used by the RADIUS
server for communicating back to the switch.
RADIUS RFC 2138 Attributes
The RADIUS RFC 2138 optional attributes supported are as follows:
User-Name
User-Password
Service-Type
Login-IP-Host
Using RADIUS Servers with Extreme Networks Switches
Extreme Networks switches have two levels of user privilege:
Read-only
Read-write
Because no command line interface (CLI) commands are available to modify the privilege level, access
rights are determined when you log in. For a RADIUS server to identify the administrative privileges of
a user, Extreme Networks switches expect a RADIUS server to transmit the Service-Type attribute in the
Access-Accept packet, after successfully authenticating the user.
Extreme Networks switches grant a RADIUS-authenticated user read-write privilege if a Service-Type
value of 6 is transmitted as part of the Access-Accept message from the RADIUS server. Other
Service-Type values or no value, result in the switch granting read-only access to the user. Different
implementations of RADIUS handle attribute transmission differently. You should consult the
documentation for your specific implementation of RADIUS when you configure users for read-write
access.
TACACS+
Terminal Access Controller Access Control System Plus (TACACS+) is a mechanism for providing
authentication, authorization, and accounting on a centralized server, similar in function to RADIUS.
The ExtremeWare XOS version of TACACS+ is used to authenticate prospective users who are
attempting to administer the switch. TACACS+ is used to communicate between the switch and an
authentication database.