Extreme Networks EPICenter Guide Manual page 111

In your authentication database, create a Group for each administrative role you plan to use in
●
EPICenter, and then configure the appropriate users with the appropriate group membership. For
example, if you want to authenticate both EPICenter Admin and Manger users, you must create a
group for each one.
Within the RADIUS server do the following:
●
Add EPICenter as a RADIUS client
■
Create Remote Access Policies for each EPICenter role, and associate each policy with the
■
appropriate Active Directory group. For example, if you plan to have both EPICenter Admin
and Manager users, you must create a Remote Access Policy for each one, then associate each
policy with the appropriate group.
Edit each Remote Access Policy to configure it with the appropriate Service Type attribute
■
value or VSA for the appropriate EPICenter role.
The following examples briefly explain how to configure a remote access policy so that the RADIUS
server will pass role information to EPICenter. If you have created custom roles for EPICenter users,
you must use a VSA to handle that role information. If you are just using the predefined (built-in) roles
in EPICenter, you can use either a Service Type setting, or a VSA. Examples of both are provided here.
See Appendix D, "Configuring RADIUS for EPICenter Authentication"
configuring EPICenter and your RADIUS server to accomplish user authentication.
Example: Setting up a VSA to Return EPICenter Role Information
The following is an example of how to set up the VSA in Windows 2000 for a custom (user-defined)
role named "AlarmsOnly". Note that you must have an Administrator Role in EPICenter to perform
these steps.
This assumes that EPICenter has been configured as a RADIUS client in the EPICenter Admin applet,
and on the RADIUS server. (See
a detailed walk-through example of how to configure and external RADIUS server for EPICenter
authentication.)
1 In the EPICenter Administrator applet, create a role named "AlarmsOnly".
2 From the Internet Authentication Service (IAS), add or edit a Remote Access Policy.
Setup the policy conditions as appropriate.
Remote access policies are a set of conditions and connection parameters that are used to grant users
remote access permissions and connection usage.
3 Click "Edit Profile" to edit the remote access policy. Go to the "Advanced" tab and add a "Vendor-
Specific" attribute.
Setup the attribute with the following values:
Vendor code: 1916
Vendor-assigned attribute number: 210
Attribute format: String
Attribute value: AlarmsOnly
Once this has been set up, for all users logging into EPICenter who match the conditions defined in the
remote access policy, a VSA with value "AlarmsOnly" will be passed to EPICenter. EPICenter then will
apply the user role "AlarmsOnly" to those users to provide feature access as defined by that role.
EPICenter Concepts and Solutions Guide
Appendix D, "Configuring RADIUS for EPICenter Authentication"
Management Access Security
for a detailed example of
for
111