Foundry NetIron M2404C and M2404F Metro Access Switches
Configuring Switch Authentication Features (Rev. 03)
User Privilege Levels with CLI
© 2008 Foundry Networks, Inc.
Page 7 of 70
2. For all users
except for
dot1x users, assign a privilege in the “users” file (refer to the example
in “dictionary.foundry” file).
Dot1x users who can also use the device as remote users on a different port, must have two
user names and passwords - one required when accessing the device as remote users and one
for accessing the device as dot1x users.
3. Add the “dictionary.foundry” file to the “dictionary” file that is part of the RADIUS
configuration files.
Example
The following example demonstrates how to assign privilege to users through RADIUS
authentication. The example refers only to
FreeRADIUS
server authentication. The format may be
different for other distributions of RADIUS server.
In general privilege levels are vendor-specific attributes between 0 and 15. Users without privilege
or wrong privilege are assigned privilege “
Guest
”.
1.
To describe vendor-specific extensions, add a file named “
dictionary.foundry”
to RADIUS
dictionaries. The file “
dictionary.foundry”
contain will contain text that is similar to the
following text:
VENDOR
Foundry
Networks
ATTRIBUTE
FOUNDRY-privilege-group 1
integer FOUNDRY
VALUE
FOUNDRY-privilege-group Administrators 0
VALUE
FOUNDRY-privilege-group Network-admins 4
VALUE
FOUNDRY-privilege-group Technicians 8
VALUE
FOUNDRY-privilege-group Users
12
VALUE
FOUNDRY-privilege-group Guests
15
2.
Include the file “dictionary.foundry” in the main “dictionary” file:
INCLUDE /usr/local/etc/raddb/dictionary.foundry
3.
Configure the users by typing the following in the users database file:
NOTE
Generally, the RADIUS server consults a database of users to find the user whose
name matches the request. The user entry in the database contains a list of
requirements that must be met to allow access for the user. For FreeRADIUS, this
database is in a file named “users”. The file-name may be different for different
types of RADIUS servers.
test
Auth-Type := Local, User-Password == "test"
Reply-Message = "Hello, %u",
FOUNDRY-privilege-group = Network-admins
Foundry-privilege-group
is the vendor-specific extension that carries the privilege information.
Authentication and Privilege Groups
authentication is an alternative to RADIUS authentication. The following example
displays the contents of a server configuration file:
# The shared secret key