beautypg.com

Authenticating login sessions, Radius authentication with user privileges – Allied Telesis AlliedWare Plus Operating System Version 5.4.4C (x310-26FT,x310-26FP,x310-50FT,x310-50FP) User Manual

Page 1307

background image

Local RADIUS Server Introduction and Configuration

Software Reference for x310 Series Switches

C613-50046-01 REV A

AlliedWare Plus

TM

Operating System - Version 5.4.4C

50.5

Authenticating login sessions

Authentication can be performed in multiple contexts, such as the authentication of users
logging in at a console, as well as tri-authentication of devices connecting to switch ports,
see

Tri-Authentication Configuration

in

Chapter 42, Authentication Introduction and

Configuration

.

RADIUS Authentication with User Privileges

There are three groups of privilege levels:

Users with privilege levels 1 to 6 have access to privilege 1 level commands.

Users with privilege 7 to 14 have access to privilege level 1 commands and all show
commands.

Users with privilege level 15 have access to all commands.

When a user logs into a management session on a switch by console, telnet, or SSH and is
being authenticated by RADIUS, the RADIUS server needs to be able to indicate to the
switch what privilege level to assign to the user’s session.

The way that the privilege level is associated with a user is to use the RADIUS attributes.
The attributes are configured on RADIUS groups.

Because there are three group of security privilege levels there will need to be up to three
different groups for login users; each group specifying a different privilege level.

The attributes that need to be configured on the three different RADIUS groups are as
follows:

1.

For the users with a privilege level of 1-6 use just the RADIUS attribute

Service-Type

, and assign it the value NAS-Prompt-User:

2.

For users with the security privilege of 7-14 use the following 2 RADIUS attributes:

3.

User with the administrator security privilege use just the RADIUS attribute

Service-Type

, and assign it the value Administrative-User:

attribute Service-Type NAS-Prompt-User

attribute Cisco-AVPair shell:priv-lvl=7

attribute Service-Type NAS-Prompt-User

attribute Service-Type Administrative-User

See also other documents in the category Allied Telesis Computer hardware: