Owner's Manual
Chapter 17. Security | 491
NETGEAR 8800 User Manual
Configuring the Profiles File
The following example RADIUS profiles file entries show an example configuration for three
profiles:
PROFILE1 deny
{
enable *, disable ipforwarding
show switch
}
PROFILE2
{
enable *, clear counters
show management
}
PROFILE3 deny
{
create vlan *, configure iproute *, disable *, show fdb
delete *, configure rip add
}
The following guidelines apply to the profiles file:
• Changes to the profiles file require the RADIUS server to be shutdown and restarted.
• A profile with the permit on keywords allows use of only the listed commands.
• A profile with the deny keyword allows the use of all commands except the listed
commands.
• Commands are separated by a comma (,) or return.
• When you create command profiles, you can use an asterisk to indicate any possible
ending to any particular command.
• The asterisk cannot be used at the beginning of a command.
• Reserved words for commands are matched exactly to those in the profiles file. Due to
the exact match, it is not enough to simply enter “sh” for “show” in the profiles file, the
complete word must be used. Commands can still be entered in the switch in partial
format.
• When you use per-command authorization, you must ensure that communication
between the each switch and the RADIUS servers is not lost. If the only operating
RADIUS server crashes while users are logged in, users have full administrative access
to the switch until they log out. Using two RADIUS servers and enabling idle timeouts on
all switches greatly reduces the chance of a user gaining elevated access due to RADIUS
server problems.