Netgear XCM8806 - 8800 SERIES 6-SLOT CHASSIS SWITCH ユーザーズマニュアル
Chapter 17. Security
|
473
NETGEAR 8800 User Manual
authentication events. The RADIUS server does not process attributes; it simply sends them
when authentication is accepted. It is the switch that processes attributes.
when authentication is accepted. It is the switch that processes attributes.
User authentication and attributes are managed on a RADIUS server by editing text files. On
the FreeRADIUS server, the user ID, password, attributes, and VSAs are stored in the users
file, and VSAs are defined in the dictionary file. The dictionary file associates numbers with
each attribute. When you edit the users file, you specify the text version of each attribute you
define. When the RADIUS server sends attributes to the switch, it sends the attribute type
numbers to reduce the network load. Some attribute values are sent as numbers too.
the FreeRADIUS server, the user ID, password, attributes, and VSAs are stored in the users
file, and VSAs are defined in the dictionary file. The dictionary file associates numbers with
each attribute. When you edit the users file, you specify the text version of each attribute you
define. When the RADIUS server sends attributes to the switch, it sends the attribute type
numbers to reduce the network load. Some attribute values are sent as numbers too.
Command authorization is also managed on a RADIUS server by editing text files. On a
FreeRADIUS server, the profiles file is divided into sections called profiles. Each profile lists
command access definitions. In the users file, you can use the Profile-Name attribute to
select the command profile that applies to each user managed by command authorization.
FreeRADIUS server, the profiles file is divided into sections called profiles. Each profile lists
command access definitions. In the users file, you can use the Profile-Name attribute to
select the command profile that applies to each user managed by command authorization.
The XCM8800 software supports backup authentication and authorization by a secondary
RADIUS server. If the first RADIUS server, which is configured as the primary RADIUS
server, fails and a secondary RADIUS server is configured, the switch sends the request to
the secondary RADIUS server. If neither RADIUS server is available, the switch looks up the
user in the local database.
RADIUS server. If the first RADIUS server, which is configured as the primary RADIUS
server, fails and a secondary RADIUS server is configured, the switch sends the request to
the secondary RADIUS server. If neither RADIUS server is available, the switch looks up the
user in the local database.
RADIUS servers can be optionally configured to work with directory services such as LDAP
or Microsoft Active Directory. Because XCM8800 switches operate with RADIUS servers,
they can benefit from the pairing of the RADIUS server and a directory service. Some
guidelines for configuring FreeRADIUS with LDAP are provided later in this chapter. Since
the use of the directory service requires configuration of the RADIUS server and directory
service, the appropriate documentation to follow is the documentation for those products.
or Microsoft Active Directory. Because XCM8800 switches operate with RADIUS servers,
they can benefit from the pairing of the RADIUS server and a directory service. Some
guidelines for configuring FreeRADIUS with LDAP are provided later in this chapter. Since
the use of the directory service requires configuration of the RADIUS server and directory
service, the appropriate documentation to follow is the documentation for those products.
Configuration Overview for Authenticating Management
Sessions
To configure the switch RADIUS client and the RADIUS server to authenticate management
sessions, do the following:
sessions, do the following:
1.
Configure the switch RADIUS client for authentication as described in
2.
If you want to use RADIUS accounting, configure the switch RADIUS accounting client as
described in
described in
3.
Configure the RADIUS server for authentication as described in
4.
If you want to configure command authorization, configure the RADIUS server as described
in
in
5.
If you want to use RADIUS accounting, configure a RADIUS accounting server as described
in the documentation for your RADIUS product.
in the documentation for your RADIUS product.