Using Radius For Ridgeline User Authentication; Configuring A Radius Server For Ridgeline User Authentication - Extreme Networks Ridgeline Guide Manual

Managing Network Security
the switch to allow only authenticated, authorized access, and securing the management traffic between
the switch and the administrator's host to ensure confidentiality.
Ridgeline provides authentication and authorization for login to Ridgeline itself, so you can control who
can access Ridgeline and what functions they are allowed to perform. You can provide read-only access
to selected functions for some users, so they can monitor the network but not make any configuration
changes, while allowing other users to make changes to device configurations, policy settings, and so
on.
By default, Ridgeline communicates with devices for configuration changes using Telnet and TFTP. You
can optionally configure Ridgeline to use Secure Telnet (SSH) and Secure FTP to execute configuration
commands and to upload and download configuration files on your Extreme Networks switches.
Finally, you can secure the communication between Ridgeline clients and the Ridgeline server itself by
using SSH (HTTPS) instead of the standard HTTP protocol, which is the default.

Using RADIUS for Ridgeline User Authentication

Fundamental to the security of your network is controlling who has access to Ridgeline itself, and what
actions different Ridgeline users can perform. Ridgeline provides a built-in authentication and
authorization mechanism through the use of user IDs and passwords, and user roles.
By default, Ridgeline authenticates users using its own internal mechanism, based on the usernames
and passwords configured in Ridgeline Administration. However, for more robust authentication, or to
avoid maintaining multiple sets of authentication information, Ridgeline can function as a RADIUS
client, or, for demonstration purposes, Ridgeline can function as a RADIUS server.
Enabling Ridgeline as a RADIUS client lets Ridgeline use an external RADIUS server to authenticate users
attempting to login to the Ridgeline server. At a minimum, the RADIUS server's "Service type" attribute
must be configured to specify the type of user to be authenticated. A more useful implementation is to
configure the external RADIUS server to return user role information along with the user authentication.
Enabling Ridgeline as a RADIUS server means that Ridgeline can act as an authentication service for
Extreme switches or other devices acting as RADIUS clients. This feature may be useful in demonstration
or test environments where a more robust authentication service is not needed. However, Ridgeline's
RADIUS server is not sufficiently robust to serve as a primary RADIUS server in a production
environment. If RADIUS authentication is needed, an external RADIUS server should be used, and
Ridgeline should be configured as a RADIUS client.

Configuring a RADIUS Server for Ridgeline User Authentication

Ridgeline uses administrator roles to determine who can access and control your Extreme Networks
network equipment through Ridgeline. A user's role determines what actions the administrative user is
allowed to perform, through Ridgeline or directly on the switch. When users are authenticated through
Ridgeline's built-in login process, Ridgeline knows what role each user is assigned, and grant access
accordingly.
If users are going to be authenticated by an outside RADIUS authentication service, then that service
needs to provide role information along with the user's authentication status. In the simplest case,
which is that users will always use one of the pre-defined roles that are built into Ridgeline, you can
configure the RADIUS server with a Service Type attribute to specify one of the built-in administrator
roles.
Ridgeline Concepts and Solutions Guide
190