Authenticating Management Sessions Through a RADIUS Server
You can use a Remote Authentication Dial In User Service (RADIUS) server to authenticate management sessions for multiple switches. A RADIUS server allows you to centralize the authentication database, so that you do not have to maintain a separate local database on each switch. RADIUS servers provide the following services for management sessions:
- Username and password authentication
- Command authorization (the RADIUS server validates whether
the user is authorized to execute each command)
NoteCommand usage that should be restricted for a user account by RADIUS with CLI authorization may not occur when users are logged in by Chalet or when using the XML API directly. To use Chalet securely, create only read-only users on the switch, and then access Chalet with those user accounts.
- Accounting service (tracks authentication and authorization events)
NoteYou can use a local database on each switch as a backup authentication service if the RADIUS service is unavailable. When the RADIUS service is operating, privileges defined on the RADIUS server take precedence over privileges configured in the local database.
To use RADIUS server features, you need the following components:
- RADIUS client software, which is included in the ExtremeXOS software.
- A RADIUS server, which is a third-party product.
NoteRADIUS provides many of the same features provided by TACACS+. You cannot use RADIUS and TACACS+ at the same time.
RADIUS is a communications protocol (RFC 2865) that is used between client and server to implement the RADIUS service.
The RADIUS client component of the ExtremeXOS software should be compatible with any RADIUS compliant server product.
NoteThe switch allows local authentication when the client IP is excluded in RADIUS server.
The following sections provide more information on management session authentication: