Fibre Channel (SAN)

Reply
New Contributor
Posts: 4
Registered: ‎10-08-2009

Radius user authentication permissions for Borcade switches...

We've been using the free GNURadius for sometime with our Brocade switches and it works quite well.  However, we are a growing IT group and require to delegate permissions to IT staff to be able to execute certain commands on the Brocade switches we have.  My question; is it possible to specify via radius what commands can be executed and at which privilege level on the switch?

We are trying to avoid the execution of Global Commands and have been unsuccessful. All I have been able to find via Brocade documentation is the ability to specify three different privilege levels...

0 super user level

4 Port Configuration level

5 Read only

Level 4 is too restricted for what we want and 0 is too lenient. For example,  I'd like for a staff member to be able to execute "no mac-authentication" on an interface level but not at the Global level as it would be disabled on the entire switch.  Is this possible?

Thank you in advance for your help.



External Moderator
Posts: 5,033
Registered: ‎02-23-2004

Re: Radius user authentication permissions for Borcade switches...

--->>> My question; is it possible to specify via radius what commands can be executed and at which privilege level on the switch?

what you mean exact whit - "and at which privilege level" - ?

the user name ? Ex. admin, root, user etc....

TechHelp24
New Contributor
Posts: 4
Registered: ‎10-08-2009

Re: Radius user authentication permissions for Borcade switches...

I worded incorrectly, by privilege level, I meant the following CLI access levels on the switches...

exec - EXEC level; for example, BigIron> or BigIron#

configure - CONFIG level; for example, BigIron(config)#

interface - Interface level; for example, BigIron(config-if-6)#

Ideally I’d want a user account on Radius to be able to login into to CLI of the switch and issue commands at the Interface level but not at the Config Level.

I have found these vendor specific attributes from Foundry/Brocade for Radius purposes however, I can't seem to accomplish what I need...

# Foundry Vendor Attributes
VENDORATTR 1991 foundry-privilege-level     1 integer
VENDORATTR 1991 foundry-command-string      2 string
VENDORATTR 1991 foundry-command-exception-flag 3 integer
VALUE foundry-privilege-level Superuser 0
VALUE foundry-privilege-level PortConfig 4
VALUE foundry-privilege-level ReadOnly 5
VALUE foundry-command-exception-flag PermitList-DenyOthers 0

VALUE foundry-command-exception-flag DenyList-PermitOthers 1

I’ve tried using the “foundry-privilege-level Superuser 0” with the “foundry-command-exception-flag PermitList-DenyOthers 0 argument for user accounts but; if I Permit a command to an account with the Superuser 0 privilege, it will be able to execute the command from any CLI access level on the switch.

The foundry-privilege-level PortConfig 4 is too restricted as it doesn’t allow a user to enable/disable Mac Authentication on an interface or add/remove the interface from a vlan.


Is it possible to specify the Radius user account “Tony” to be able to execute "No Mac-Authentication enable” at an Interface level but not at the CONFIG level?

External Moderator
Posts: 5,033
Registered: ‎02-23-2004

Re: Radius user authentication permissions for Borcade switches...

Antonio,

you are here in the wrong forum Products, Technology, and Architecture

Please post at next time IP Based Switches ( Foundry ) in the correct forum  Application Delivery Infrastructure

oadam is here the right member which can help you to solve this problem.

TechHelp24
New Contributor
Posts: 4
Registered: ‎10-08-2009

Re: Radius user authentication permissions for Borcade switches...

Thank you, I will do that.

External Moderator
Posts: 5,033
Registered: ‎02-23-2004

Re: Radius user authentication permissions for Borcade switches...

I have forwarded this Threads to him, it is not necessary to post now.

TechHelp24

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook