Extreme Networks ExtremeWare 7.2e Installation And User Manual page 174

Security
After modifying the 'vendor.ini' file, the desired user accounts must be configured for the
Max-Concurrent connections. Using the SBR Administrator application, enable the check box for
'Max-Concurrent connections' and fill in the desired number of maximum sessions.
Extreme RADIUS
Extreme Networks provides its users, free of charge, a radius server based on Merit RADIUS. Extreme
RADIUS provides per-command authentication capabilities in addition to the standard set of radius
features. Source code for Extreme RADIUS can be obtained from the Extreme Networks Technical
Assistance Center and has been tested on Red Hat Linux and Solaris.
When Extreme RADIUS is up and running, the two most commonly changed files will be users and
profiles. The users file contains entries specifying login names and the profiles used for per-command
authentication after they have logged in. Sending a HUP signal to the RADIUS process is sufficient to
get changes in the users file to take place. Extreme RADIUS uses the file named profiles to specify
command lists that are either permitted or denied to a user based on their login identity. Changes to the
profiles file require the RADIUS server to be shutdown and restarted. Sending a HUP signal to the
RADIUS process is not enough to force changes to the profiles file to take effect.
When you create command profiles, you can use an asterisk to indicate any possible ending to any
particular command. The asterisk cannot be used as the beginning of a command. Reserved words for
commands are matched exactly to those in the profiles file. Due to the exact match, it is not enough to
simply enter "sh" for "show" in the profiles file, the complete word must be used. Commands can still
be entered in the switch in partial format.
When you use per-command authentication, you must ensure that communication between the
switch(es) and radius server(s) is not lost. If the RADIUS server crashes while users are logged in, they
will have full administrative access to the switch until they log out. Using two RADIUS servers and
enabling idle timeouts on all switches will greatly reduce the chance of a user gaining elevated access
due to RADIUS server problems.
RADIUS Server Configuration Example (Merit)
Many implementations of RADIUS server use the publicly available Merit
available on the World Wide Web at:
http://www.merit.edu/aaa
Included below are excerpts from relevant portions of a sample Merit RADIUS server implementation.
The example shows excerpts from the client and user configuration files. The client configuration file
( ) defines the authorized source machine, source name, and access level. The user
ClientCfg.txt
configuration file ( ) defines username, password, and service type information.
users
ClientCfg.txt
#Client Name Key
#---------------- ---------------
#10.1.2.3:256 test
#pm1 %^$%#*(&!(*&)+
#pm2 :-):-(;^):-}!
#merit.edu/homeless hmoemreilte.ses
#homeless testing
#xyz.merit.edu moretesting
#anyoldthing:1234 whoknows?
10.202.1.3 andrew-linux
10.203.1.41 eric
174
[type] [version]
-------------- ---------
type = nas v2
type=nas
type nas
type proxy v1
type=Ascend:NAS v1
type=NAS+RAD_RFC+ACCT_RFC
type=nas
type=nas
AAA server application,
©
[prefix]
--------
pfx
pm1.
pm2.
ExtremeWare 7.2e Installation and User Guide