Using Radius For User Authentication; Setting Up Epicenter Roles Using Radius; Securing Management Traffic - Extreme Networks EPICenter Guide Manual

Managing Network Security

Using RADIUS for User Authentication

EPICenter can function as either a RADIUS server, or as a RADIUS client.
Enabling EPICenter as a RADIUS server means that Extreme switches can act as RADIUS clients,
authenticating users against the RADIUS server's database of users, as administered through EPICenter.
Thus, even if a user accesses the switch directly through Telnet or a browser, the RADIUS server will
provide the authentication service.
Enabling EPICenter as a RADIUS client lets EPICenter use RADIUS to authenticate users attempting to
login to the EPICenter server. In addition, an external RADIUS server can be configured to return user role
information as well as the user authentication.

Setting up EPICenter Roles using RADIUS

Fundamental to administrator access and control of your Extreme Networks products is setting up one
or more administrator roles on each switch. A role determines what actions the administrative user is
allowed on the switch or through EPICenter. For example, you need a superuser equivalent
administrator who controls and monitors all products in the network. You may also want to create one
or more sub-administrative roles to allow others to monitor the network without giving them the ability
to reconfigure the network. To create user roles in EPICenter you add new roles using the Admin
Manager and enable access to the appropriate EPICenter features.
If EPICenteris configured as a RADIUS client, when a user attempts to login to the EPICenter server,
EPICenter will request authentication from an external RADIUS server. The external RADIUS server can
also be configured to return role information to EPICenter as a Vendor-Specific Attribute (VSA) along
with a successful authentication. You must create corresponding roles in the EPICenter Administration
applet for every role that the RADIUS server may return. For example, you configure a monitor-only
role in the Administration applet. You then assign the corresponding monitor-only group to the users in
the RADIUS database you want to give monitoring rights to. When that user authenticates with
RADIUS, the RADIUS sever returns the monitor-only group VSA which EPICenter used to assign the
appropriate management role to the user.
If a user is authenticated with a role that EPICenter does not recognize, the user will be given the Monitor
role by default. See "Configuring a RADIUS Server to Pass Roles" in Appendix B in the EPICenter Reference
Guide for information on configuring a RADIUS server to pass role information to EPICenter along with
the user authentication.

Securing Management Traffic

Management traffic between a management application like EPICenter and the managed network
devices can reveal confidential information about your network if this traffic is transmitted in the clear.
Two approaches to encrypting this traffic is managing the network products using SNMPv3, or
accessing the network product directly using SSH.
Using SNMPv3 for Secure Management
SNMPv3 is a series RFCs (RFC 2273 through RFC 2275) defined by IETF to provide management
capabilities that guarantee authentication, message integrity, and confidentiality of management traffic.
SNMPv3 includes the option to encrypt traffic between the agent (residing on the network device) and
the management application (EPICenter). This prevents unauthorized eavesdropping on sensitive
management data.
100 EPICenter Concepts and Solutions Guide