Extreme Networks ExtremeWare 7.2e Installation And User Manual page 172

Security
To enable RADIUS accounting, use the following command:
enable radius-accounting
To disable RADIUS accounting, use the following command:
disable radius-accounting
Per-Command Authentication Using RADIUS
The RADIUS implementation can be used to perform per-command authentication. Per-command
authentication allows you to define several levels of user capabilities by controlling the permitted
command sets based on the RADIUS username and password. You do not need to configure any
additional switch parameters to take advantage of this capability. The RADIUS server implementation
automatically negotiates the per-command authentication capability with the switch. For examples on
per-command RADIUS configurations, see the next section.
Configuring RADIUS Client
You can define primary and secondary server communication information, and for each RADIUS server,
the RADIUS port number to use when talking to the RADIUS server. The default port value is 1645. The
client IP address is the IP address used by the RADIUS server for communicating back to the switch.
RADIUS RFC 2138 Attributes
The RADIUS RFC 2138 optional attributes supported are as follows:
• User-Name
• User-Password
• Service-Type
• Login-IP-Host
Using RADIUS Servers with Extreme Switches
Extreme Networks switches have two levels of user privilege:
• Read-only
• Read-write
Because there are no CLI commands available to modify the privilege level, access rights are
determined when you log in. For a RADIUS server to identify the administrative privileges of a user,
Extreme switches expect a RADIUS server to transmit the Service-Type attribute in the Access-Accept
packet, after successfully authenticating the user.
Extreme switches grant a RADIUS-authenticated user read-write privilege if a Service-Type value of 6 is
transmitted as part of the Access-Accept message from the Radius server. Other Service-Type values, or
no value, result in the switch granting read-only access to the user. Different implementations of
RADIUS handle attribute transmission differently. You should consult the documentation for your
specific implementation of RADIUS when you configure users for read-write access.
Cistron RADIUS
Cistron RADIUS is a popular server, distributed under GPL. Cistron RADIUS can be found at:
http://www.miquels.cistron.nl/radius/
172 ExtremeWare 7.2e Installation and User Guide