Another command authorization question

Rija perso rija.rasolo at univ-rouen.fr
Wed Feb 3 15:10:55 CET 2010 

Hi all,
I'm trying to do per-command authorization with extreme networks switch 
(x450) and FR.
According to extreme it's possible to do this with FR ...
http://www.extremenetworks.com/libraries/services/ExtremeXOSConceptsGuideSoftwareVersion12_3_rev2.zip 

page 816.
"Command authorization is enabled in the users file on a FreeRADIUS 
server, and configured in the
profiles file. Additional configuration is required in the dictionary 
file and the clients file."

All you need is :
-extreme VSA in dictionary
-in users file :

test    Password = "test", Service-Type = Administrative, Profile-Name =
"Profile1"
           Filter-Id = "unlim"
           Extreme:Extreme-CLI-Authorization = Enabled

-in clients file :

type:extreme:nas + RAD_RFC + ACCT_RFC

-in profiles file (???)

PROFILE1 deny
{
enable *, disable ipforwarding
show switch
}

****
After some syntax tweaking :
--Adding "Profile-Name" to dictionnary

	ATTRIBUTE       Profile-Name            3500    string

--adding in clients.conf

client  10.0.0.10  {
         nastype = nas
         secret  = XtremeSecret
         shortname       = X450
}

--adding in users file

test            Auth-Type := System, Service-Type := 
Administrative-User,Profile-Name := "PROFILE1"
         Service-Type = Administrative-User,
         Filter-Id = "unlim",
         Extreme-CLI-Authorization = Enabled

--creating and filling /etc/freeradius/profiles file

****	
i've got :
--- login to the switch : OK
--- the switch send every user command to the FR server : OK
--- FR check the "profiles" file to see if the user is authorized to 
execute this command : NOT OK


It seems that FR don't care about the "profiles" file.
The switch had only 2 level of authorization :
- Service-Type = Administrative-User = read-write
- Service-Type = anything else = read-only

Maybe i've missed something ...

My questions are :
Is it possible to do what they claim with FR ?
Is it possible to check an external file (by using external script) from 
"users" file or from  any other FR config files to do the job ?

Regards
Rija

More information about the Freeradius-Users mailing list