(RADIATOR) radius setup for network management

Stafford A. Rau srau at rauhaus.org
Thu Dec 19 14:07:01 CST 2002 

I'm trying to puzzle out what should probably be a not too complicated
setup, but I'm getting a bit dazed and confused.

I want to use radius authentication for management access to a number of
routers, dslams, and other equipment.

I'm running an older version of Radiator, 2.16, on a unix platform and
can successfully authenticate with AuthBy NT against our Windows domain.
I can also successfully specify read-write access to our DSLAMs with the
"Service-Type = Administrative-User" attribute.

Here's where I'm having trouble: I want to be able to specify read-only,
read-write, or no access depending on the user and the device.

To be specific, all the devices are grouped by geographic location, which
in our case is by US state (Oregon, Washington, Utah, etc).

We have a corporate engineering group that should have read-write access
to all devices, regardless of state.

Each state has an engineering group that should have read-write access
to all the devices in that state, and read-only access to all other
devices.

We have a provisioning group for each state that should have read-write
access to the devices in that state, but no access to any devices
outside that state.

It's not a huge number of users nor devices - about 50-75 devices in
each of the five states, and about 50 total user accounts.

I'm hoping someone can suggest an overall structure for the radius.cfg
and users files that would allow me to accomplish what I've described in
a reasonably manageable fashion.

What I have so far is:

<Client ut_dslams>
include /usr/local/etc/raddb/ut_dslams
</Client>

<Client or_dslams>
include /usr/local/etc/raddb/nw_dslams
</Client>

<Realm DEFAULT>
	AcctLogFileName %Ldetail
	PasswordLogFileName %L/password.log
	RewriteUsername s/^([^@]+).*/$1/
	<AuthBy FILE>
		Filename /usr/local/etc/raddb/users
	</AuthBy>
</Realm>

<AuthBy NT>
	Identifier domaincheck
	Domain dorky.domain.com
	DomainController dorkycontroller
</AuthBy>

In the included client files, I have the secret, an "Identifier = "
line, and a bunch of IdenticalClients.

In the users files, I have:

#Corp Engineering
joe1 Auth-Type = domaincheck
	Service-Type = Administrative-User
joe2 Auth-Type = domaincheck
	Service-Type = Administrative-User
#Oregon Provisioning
slug1 Auth-Type = domaincheck, Client-Identifier = or_dslams
	Service-Type = Administrative-User
slug2 Auth-Type = domaincheck, Client-Identifier = or_dslams
	Service-Type = Administrative-User

The "Client-Identifier" doesn't seem to be checked.

Thanks,
--Stafford
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list