Hi all, I'm trying to do per-command authorization with extreme networks switch (x450) and FR. According to extreme it's possible to do this with FR ... http://www.extremenetworks.com/libraries/services/ExtremeXOSConceptsGuideSof... page 816. "Command authorization is enabled in the users file on a FreeRADIUS server, and configured in the profiles file. Additional configuration is required in the dictionary file and the clients file." All you need is : -extreme VSA in dictionary -in users file : test Password = "test", Service-Type = Administrative, Profile-Name = "Profile1" Filter-Id = "unlim" Extreme:Extreme-CLI-Authorization = Enabled -in clients file : type:extreme:nas + RAD_RFC + ACCT_RFC -in profiles file (???) PROFILE1 deny { enable *, disable ipforwarding show switch } **** After some syntax tweaking : --Adding "Profile-Name" to dictionnary ATTRIBUTE Profile-Name 3500 string --adding in clients.conf client 10.0.0.10 { nastype = nas secret = XtremeSecret shortname = X450 } --adding in users file test Auth-Type := System, Service-Type := Administrative-User,Profile-Name := "PROFILE1" Service-Type = Administrative-User, Filter-Id = "unlim", Extreme-CLI-Authorization = Enabled --creating and filling /etc/freeradius/profiles file **** i've got : --- login to the switch : OK --- the switch send every user command to the FR server : OK --- FR check the "profiles" file to see if the user is authorized to execute this command : NOT OK It seems that FR don't care about the "profiles" file. The switch had only 2 level of authorization : - Service-Type = Administrative-User = read-write - Service-Type = anything else = read-only Maybe i've missed something ... My questions are : Is it possible to do what they claim with FR ? Is it possible to check an external file (by using external script) from "users" file or from any other FR config files to do the job ? Regards Rija
participants (1)
-
Rija perso