10-09-2009 07:48 AM
I have a growing network and require staff to be able to administer some of the Foundry switches. We have been using GNU Radius with our switches for user authentication and it works. However, i'd like to be able to specify more granular privileges for the users accounts.
exec - EXEC level; for example, BigIron> or BigIron#
configure - CONFIG level; for example, BigIron(config)#
interface - Interface level; for example, BigIron(config-if-6)#
Ideally I’d want a user account on Radius to be able to login into to the CLI of the switch and issue commands at the Interface level but not at the Config Level.
I have found these vendor specific attributes from Foundry/Brocade for Radius purposes however, I can't seem to accomplish what I need...
# Foundry Vendor Attributes
VENDORATTR 1991 foundry-privilege-level 1 integer
VENDORATTR 1991 foundry-command-string 2 string
VENDORATTR 1991 foundry-command-exception-flag 3 integer
VALUE foundry-privilege-level Superuser 0
VALUE foundry-privilege-level PortConfig 4
VALUE foundry-privilege-level ReadOnly 5
VALUE foundry-command-exception-flag PermitList-DenyOthers 0
VALUE foundry-command-exception-flag DenyList-PermitOthers 1
I’ve tried using the “foundry-privilege-level Superuser 0” with the “foundry-command-exception-flag PermitList-DenyOthers 0” argument for user accounts but; if I Permit a command to an account with the “Superuser 0” privilege, it will be able to execute the command from any CLI access level on the switch.
The “foundry-privilege-level PortConfig 4” is too restricted as it doesn’t allow a user to enable/disable Mac Authentication on an interface or add/remove the interface from a vlan.
Is it possible to specify the Radius user account “Tony” to be able to execute "No Mac-Authentication enable” at an Interface level but not at the CONFIG level?
10-10-2009 07:07 AM
I just wanted to suggest to get in touch with the partner supporting your installation or with the Brocade SE responsible for your account. This question is not related to our Application Delivery devices if I am not wrong. The question is now inside our "Application Delivery Infrastructure" community area which is a ServerIron related community. Get in touch with your partner and/or SE to get an answer because I doubt anybody is going to give you an answer here.
I am sorry for the inconvenience.