10-08-2009 03:00 PM
We've been using the free GNURadius for sometime with our Brocade switches and it works quite well. However, we are a growing IT group and require to delegate permissions to IT staff to be able to execute certain commands on the Brocade switches we have. My question; is it possible to specify via radius what commands can be executed and at which privilege level on the switch?
We are trying to avoid the execution of Global Commands and have been unsuccessful. All I have been able to find via Brocade documentation is the ability to specify three different privilege levels...
0 super user level
4 Port Configuration level
5 Read only
Level 4 is too restricted for what we want and 0 is too lenient. For example, I'd like for a staff member to be able to execute "no mac-authentication" on an interface level but not at the Global level as it would be disabled on the entire switch. Is this possible?
Thank you in advance for your help.
10-08-2009 09:12 PM
--->>> My question; is it possible to specify via radius what commands can be executed and at which privilege level on the switch?
what you mean exact whit - "and at which privilege level" - ?
the user name ? Ex. admin, root, user etc....
10-09-2009 06:19 AM
I worded incorrectly, by privilege level, I meant the following CLI access levels on the switches...
exec - EXEC level; for example, BigIron> or BigIron#
configure - CONFIG level; for example, BigIron(config)#
interface - Interface level; for example, BigIron(config-if-6)#
Ideally I’d want a user account on Radius to be able to login into to CLI of the switch and issue commands at the Interface level but not at the Config Level.
I have found these vendor specific attributes from Foundry/Brocade for Radius purposes however, I can't seem to accomplish what I need...
# Foundry Vendor Attributes
VENDORATTR 1991 foundry-privilege-level 1 integer
VENDORATTR 1991 foundry-command-string 2 string
VENDORATTR 1991 foundry-command-exception-flag 3 integer
VALUE foundry-privilege-level Superuser 0
VALUE foundry-privilege-level PortConfig 4
VALUE foundry-privilege-level ReadOnly 5
VALUE foundry-command-exception-flag PermitList-DenyOthers 0
VALUE foundry-command-exception-flag DenyList-PermitOthers 1
I’ve tried using the “foundry-privilege-level Superuser 0” with the “foundry-command-exception-flag PermitList-DenyOthers 0” argument for user accounts but; if I Permit a command to an account with the “Superuser 0” privilege, it will be able to execute the command from any CLI access level on the switch.
The “foundry-privilege-level PortConfig 4” is too restricted as it doesn’t allow a user to enable/disable Mac Authentication on an interface or add/remove the interface from a vlan.
Is it possible to specify the Radius user account “Tony” to be able to execute "No Mac-Authentication enable” at an Interface level but not at the CONFIG level?
10-09-2009 07:09 AM