Application Delivery (ADX)

New Contributor
Posts: 4
Registered: ‎10-08-2009

Radius and IP based Foundry switches

I have a growing network and require staff to be able to administer some of the Foundry switches.  We have been using GNU Radius with our switches for user authentication and it works.  However, i'd like to be able to specify more granular privileges for the users accounts.

exec - EXEC level; for example, BigIron> or BigIron#

configure - CONFIG level; for example, BigIron(config)#

interface - Interface level; for example, BigIron(config-if-6)#

Ideally I’d want a user account on Radius to be able to login into to the CLI of the switch and issue commands at the Interface level but not at the Config Level.

I have found these vendor specific attributes from Foundry/Brocade for Radius purposes however, I can't seem to accomplish what I need...

# Foundry Vendor Attributes
VENDORATTR 1991 foundry-privilege-level   1 integer
VENDORATTR 1991 foundry-command-string    2 string
VENDORATTR 1991 foundry-command-exception-flag 3 integer
VALUE foundry-privilege-level Superuser 0
VALUE foundry-privilege-level PortConfig 4
VALUE foundry-privilege-level ReadOnly 5
VALUE foundry-command-exception-flag PermitList-DenyOthers 0

VALUE foundry-command-exception-flag DenyList-PermitOthers 1

I’ve tried using the “foundry-privilege-level Superuser 0” with the “foundry-command-exception-flag PermitList-DenyOthers 0 argument for user accounts but; if I Permit a command to an account with the Superuser 0 privilege, it will be able to execute the command from any CLI access level on the switch.

The foundry-privilege-level PortConfig 4 is too restricted as it doesn’t allow a user to enable/disable Mac Authentication on an interface or add/remove the interface from a vlan.

Is it possible to specify the Radius user account “Tony” to be able to execute "No Mac-Authentication enable” at an Interface level but not at the CONFIG level?

Super Contributor
Posts: 316
Registered: ‎05-01-2009

Re: Radius and IP based Foundry switches

I just wanted to suggest to get in touch with the partner supporting your installation or with the Brocade SE responsible for your account. This question is not related to our Application Delivery devices if I am not wrong. The question is now inside our "Application Delivery Infrastructure" community area which is a ServerIron related community. Get in touch with your partner and/or SE to get an answer because I doubt anybody is going to give you an answer here.

I am sorry for the inconvenience.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.