RADIUS Attributes for Lenovo N/OS User Privileges
© Copyright Lenovo 2015
When the user logs in, the switch authenticates his/her level of access by sending
the RADIUS access request, that is, the client authentication request, to the
RADIUS authentication server.
If the remote user is successfully authenticated by the authentication server, the
switch will verify the privileges of the remote user and authorize the appropriate
access. The administrator has two options: to allow backdoor access via Telnet, SSH,
HTTP, or HTTPS; to allow secure backdoor access via console, Telnet, SSH, or BBI.
Secure backdoor provides access to the switch when the RADIUS servers cannot be
reached.
The default CN4093 setting for backdoor and secure backdoor access is disabled.
Backdoor access is always enabled on the console port.
Irrespective of backdoor being enabled or not, you can always access the switch via
the console port by using noradius as radius username. You can then enter the
username and password configured on the switch. If you are trying to connect via
SSH/Telnet/HTTP/HTTPS, there are two possibilities:
Backdoor is enabled: The switch acts like it is connecting via console.
Secure backdoor is enabled: You must enter the username: noradius. The switch
checks if RADIUS server is reachable. If it is reachable, then you must
authenticate via remote authentication server. Only if RADIUS server is not
reachable, you will be prompted for local user/password to be authenticated
against these local credentials.
All user privileges, other than those assigned to the Administrator, have to be
defined in the RADIUS dictionary. RADIUS attribute 6 which is built into all
RADIUS servers defines the administrator. The file name of the dictionary is
RADIUS vendor‐dependent. The following RADIUS attributes are defined for
Lenovo N/OS user privileges levels:
Table 9.
Lenovo N/OS‐proprietary Attributes for RADIUS
User Name/Access
User-Service-Type
User
Vendor‐supplied
Operator
Vendor‐supplied
Administrator
Vendor‐supplied
(USERID)
Value
255
252
6
Chapter 6: Authentication & Authorization Protocols
81