(RADIATOR) safeword multiple roles

Hugh Irvine hugh at open.com.au
Wed May 7 17:44:54 CDT 2008 

Hello Johan -

Thanks for your mail.

In answer to your question, you would use cascaded AuthBy clauses for  
this - the first to do the authentication, and the second to apply  
the group attributes.

The exact details of how to do this depend on how you are contacting  
the Safeword server, and what attributes come back in the reply.

If you could send me a copy of the Radiator configuration file that  
you have been testing with together with a trace 4 debug showing what  
is happening I will take a look.

regards

Hugh


On 7 May 2008, at 22:54, Johan Frid wrote:

> Hello there Johan Frid TeliaSonera Sweden here.
>
> We would like to replace our freeradius installation with Radiator  
> Radius
>
> Today we use Secure Computings Premier Access 3.1.1 together with  
> freeradius since we need to be able to use wildcards in the clients  
> file.
>
> We also use multiple roles in our radius configuration so some  
> users have RO=Read Only access and some have RW=Read Write access.
>
> Here is what we would like to do.
>
> We would like to authenticate against the safeword server with  
> tokens and get a role from the safeword server back to the radius  
> server. Depending on the role you get back from safeword we would  
> like to send different attributes to the equipment that you tried  
> to login to.
>
> Example.
>
> The user jorgoh tries to login to a router that have radius  
> authentication.
>
> telnet 192.168.1.10
>
> username : jorgoh
> password : 6314h1
>
> Since the router asks radius for authentication it look in the  
> safeword.cfg file and sees that it should ask the safeword server  
> for authentication.
>
> So now it sends jorgoh and password to 6314h1 to safeword. Safeword  
> answers back that its ok and returns the role group=RW since jorgoh  
> has read write rights.
>
> So now it goes back to the users file for radius and looks for the  
> RW group
>
> DEFAULT Auth-Type := safeword
>        Fall-Through = 1
>
> DEFAULT group == RO
>       Service-Type = Administrative-User,
>       cisco-avpair = "shell:priv-lvl=1",
>       Juniper-Local-User-Name = "remote2",
>       TTY-level-start = 5,
>       TTY-level-max = 5,
>       Unisphere-Init-CLI-Access-Level = 1,
>       Unisphere-Alt-CLI-Access-Level = 5
>
> DEFAULT group == RW
>       Service-Type = Administrative-User,
>       cisco-avpair = "shell:priv-lvl=15",
>       Juniper-Local-User-Name = "remote1",
>       TTY-level-start = 15,
>       TTY-level-max = 15,
>       Unisphere-Init-CLI-Access-Level = 1,
>       Unisphere-Alt-CLI-Access-Level = 10
>
>
> So now it sends the attributes that is listed under the
>
> DEFAULT group == RW  to the router.
>
> Since it has cisco-avpair = "shell:priv-lvl=15" it will give me  
> admin rights in the router.
>
> So the question is how do we do the same thing with radiator radius?
>
> We have figured out how to get radiator radius to ask safeword for  
> authentication but not how to passback different user right  
> depending  on the group that safeword returns.
>
>
>
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list