Extreme Networks ExtremeWare XOS Guide Manual page 327

command lists that are either permitted or denied to a user based on their login identity. Changes to the
profiles file require the RADIUS server to be shutdown and restarted. Sending a HUP signal to the
RADIUS process is not enough to force changes to the profiles file to take effect.
When you create command profiles, you can use an asterisk to indicate any possible ending to any
particular command. The asterisk cannot be used as the beginning of a command. Reserved words for
commands are matched exactly to those in the profiles file. Due to the exact match, it is not enough to
simply enter "sh" for "show" in the profiles file, the complete word must be used. Commands can still
be entered in the switch in partial format.
When you use per-command authentication, you must ensure that communication between the
switch(es) and radius server(s) is not lost. If the RADIUS server crashes while users are logged in, they
will have full administrative access to the switch until they log out. Using two RADIUS servers and
enabling idle timeouts on all switches will greatly reduce the chance of a user gaining elevated access
due to RADIUS server problems.
Cistron RADIUS
Cistron RADIUS is a popular server, distributed under GPL. Cistron RADIUS can be found at:
http://www.miquels.cistron.nl/radius/
When you configure the Cistron server for use with Extreme switches, you must pay close attention to
the users file setup. The Cistron RADIUS dictionary associates the word Administrative-User with
Service-Type value 6, and expects the Service-Type entry to appear alone on one line with a leading tab
character.
The following is a user file example for read-write access:
adminuser Auth-Type = System
Service-Type = Administrative-User,
Filter-Id = "unlim"
RSA Ace
For users of their SecureID product, RSA offers RADIUS capability as part of their ACE server software.
With some versions of ACE, the RADIUS shared-secret is incorrectly sent to the switch resulting in an
inability to authenticate. As a work around, do not configure a shared-secret for RADIUS accounting
and authentication servers on the switch.
Limiting Max-Concurrent Sessions with Funk Software's Steel Belted Radius
For users who have Funk Software's Steel Belted Radius (SBR) server, it is possible to limit the number
of concurrent login sessions using the same user account. This feature allows the use of shared user
accounts, but limits the number of simultaneous logins to a defined value. Using this feature requires
Funk Software Steel-Belted-Radius for Radius Authentication & Accounting.
ExtremeWare XOS 11.3 Concepts Guide
Authenticating Users Using RADIUS or TACACS+
327