(RADIATOR) Cisco VPN 3030 and multiple handlers?

Hugh Irvine hugh at open.com.au
Thu May 13 19:36:31 CDT 2004 

Hello Jeff -

I am not quite sure how you want to do the authorisation, but if you 
want to chain multiple AuthBy clauses you should use an AuthByPolicy to 
control the execution sequence. Something like this:

	AuthByPolicy ContinueWhileAccept

	<AuthBy FILE>
		.....
	</AuthBy>

	<AuthBy KRB5>
		.....
	</AuthBy>

If you tell me a bit more about your requirements I will try to make 
some sensible suggestions.

regards

Hugh


On 14 May 2004, at 04:52, Jeff Wolfe wrote:

>
> Hi folks..
>
> I have a Cisco VPN3xxx box that I'm trying to integrate with my new
> radiator installation..
>
> I have 2 interfaces in use on the 3030, one is our local
> VPN-over-Wireless service and the other is a more traditional remote
> access VPN. Ideally, I would like to add an authorization step before
> the authentication step on the remote access side, so that I can
> restrict access to a subset of the total # of users in the kerberos
> realm.
>
> here's a snip from the config:
>
> # Wireless requests come in here
> <Handler Client-Identifier=vpn, Called-Station-Id=172.16.50.1>
>   <AuthBy KRB5>
>         KrbRealm dce.psu.edu
>   </AuthBy>
>   AcctLogFileName %D/vpnw.detail
> </Handler>
> # Remote access requests come in here
> <Handler Client-Identifier=vpn, Called-Station-Id=146.186.x.x>
>   <AuthBy KRB5>
>         KrbRealm dce.psu.edu
>   </AuthBy>
>   AcctLogFileName %D/vpnr.detail
> </Handler>
>
>
> This works fine, but I'm not sure how to add the authorization step. I
> tried adding an AuthBy File before the AuthBy KRB5, but with that in
> place, any user who passed the authby file was immediately granted
> access, regardless of their password.
>
> Is this functionality something I have to add to the Krb5 module?
>
> Thanks!
>
> -JEff
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list