(RADIATOR) safeword multiple roles
Johan Frid
johan at frid.info
Wed May 7 07:54:52 CDT 2008
Hello there Johan Frid TeliaSonera Sweden here.
We would like to replace our freeradius installation with Radiator Radius
Today we use Secure Computings Premier Access 3.1.1 together with
freeradius since we need to be able to use wildcards in the clients file.
We also use multiple roles in our radius configuration so some users
have RO=Read Only access and some have RW=Read Write access.
Here is what we would like to do.
We would like to authenticate against the safeword server with tokens
and get a role from the safeword server back to the radius server.
Depending on the role you get back from safeword we would like to send
different attributes to the equipment that you tried to login to.
Example.
The user jorgoh tries to login to a router that have radius authentication.
telnet 192.168.1.10
username : jorgoh
password : 6314h1
Since the router asks radius for authentication it look in the
safeword.cfg file and sees that it should ask the safeword server for
authentication.
So now it sends jorgoh and password to 6314h1 to safeword. Safeword
answers back that its ok and returns the role group=RW since jorgoh has
read write rights.
So now it goes back to the users file for radius and looks for the RW group
DEFAULT Auth-Type := safeword
Fall-Through = 1
DEFAULT group == RO
Service-Type = Administrative-User,
cisco-avpair = "shell:priv-lvl=1",
Juniper-Local-User-Name = "remote2",
TTY-level-start = 5,
TTY-level-max = 5,
Unisphere-Init-CLI-Access-Level = 1,
Unisphere-Alt-CLI-Access-Level = 5
DEFAULT group == RW
Service-Type = Administrative-User,
cisco-avpair = "shell:priv-lvl=15",
Juniper-Local-User-Name = "remote1",
TTY-level-start = 15,
TTY-level-max = 15,
Unisphere-Init-CLI-Access-Level = 1,
Unisphere-Alt-CLI-Access-Level = 10
So now it sends the attributes that is listed under the
DEFAULT group == RW to the router.
Since it has cisco-avpair = "shell:priv-lvl=15" it will give me admin
rights in the router.
So the question is how do we do the same thing with radiator radius?
We have figured out how to get radiator radius to ask safeword for
authentication but not how to passback different user right depending
on the group that safeword returns.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list