Hi all,
I'm trying to do per-command authorization with extreme networks switch
(x450) and FR.
According to extreme it's possible to do this with FR ...
http://www.extremenetworks.com/libraries/services/ExtremeXOSConceptsGuideSoftwareVersion12_3_rev2.zip
page 816.
"Command authorization is enabled in the users file on a FreeRADIUS
server, and configured in the
profiles file. Additional configuration is required in the dictionary
file and the clients file."
All you need is :
-extreme VSA in dictionary
-in users file :
test Password = "test", Service-Type = Administrative, Profile-Name =
"Profile1"
Filter-Id = "unlim"
Extreme:Extreme-CLI-Authorization = Enabled
-in clients file :
type:extreme:nas + RAD_RFC + ACCT_RFC
-in profiles file (???)
PROFILE1 deny
{
enable *, disable ipforwarding
show switch
}
****
After some syntax tweaking :
--Adding "Profile-Name" to dictionnary
ATTRIBUTE Profile-Name 3500 string
--adding in clients.conf
client 10.0.0.10 {
nastype = nas
secret = XtremeSecret
shortname = X450
}
--adding in users file
test Auth-Type := System, Service-Type :=
Administrative-User,Profile-Name := "PROFILE1"
Service-Type = Administrative-User,
Filter-Id = "unlim",
Extreme-CLI-Authorization = Enabled
--creating and filling /etc/freeradius/profiles file
****
i've got :
--- login to the switch : OK
--- the switch send every user command to the FR server : OK
--- FR check the "profiles" file to see if the user is authorized to
execute this command : NOT OK
It seems that FR don't care about the "profiles" file.
The switch had only 2 level of authorization :
- Service-Type = Administrative-User = read-write
- Service-Type = anything else = read-only
Maybe i've missed something ...
My questions are :
Is it possible to do what they claim with FR ?
Is it possible to check an external file (by using external script) from
"users" file or from any other FR config files to do the job ?
Regards
Rija
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
