(RADIATOR) safeword multiple roles

Johan Frid johan at frid.info
Wed May 7 07:54:52 CDT 2008 

Hello there Johan Frid TeliaSonera Sweden here.

We would like to replace our freeradius installation with Radiator Radius

Today we use Secure Computings Premier Access 3.1.1 together with 
freeradius since we need to be able to use wildcards in the clients file.

We also use multiple roles in our radius configuration so some users 
have RO=Read Only access and some have RW=Read Write access.

Here is what we would like to do.

We would like to authenticate against the safeword server with tokens 
and get a role from the safeword server back to the radius server. 
Depending on the role you get back from safeword we would like to send 
different attributes to the equipment that you tried to login to.

Example.

The user jorgoh tries to login to a router that have radius authentication.

telnet 192.168.1.10

username : jorgoh
password : 6314h1

Since the router asks radius for authentication it look in the 
safeword.cfg file and sees that it should ask the safeword server for 
authentication.

So now it sends jorgoh and password to 6314h1 to safeword. Safeword 
answers back that its ok and returns the role group=RW since jorgoh has 
read write rights.

So now it goes back to the users file for radius and looks for the RW group

DEFAULT Auth-Type := safeword
        Fall-Through = 1

DEFAULT group == RO
       Service-Type = Administrative-User,
       cisco-avpair = "shell:priv-lvl=1",
       Juniper-Local-User-Name = "remote2",
       TTY-level-start = 5,
       TTY-level-max = 5,
       Unisphere-Init-CLI-Access-Level = 1,
       Unisphere-Alt-CLI-Access-Level = 5

DEFAULT group == RW
       Service-Type = Administrative-User,
       cisco-avpair = "shell:priv-lvl=15",
       Juniper-Local-User-Name = "remote1",
       TTY-level-start = 15,
       TTY-level-max = 15,
       Unisphere-Init-CLI-Access-Level = 1,
       Unisphere-Alt-CLI-Access-Level = 10


So now it sends the attributes that is listed under the

DEFAULT group == RW  to the router.

Since it has cisco-avpair = "shell:priv-lvl=15" it will give me admin 
rights in the router.

So the question is how do we do the same thing with radiator radius?

We have figured out how to get radiator radius to ask safeword for 
authentication but not how to passback different user right depending  
on the group that safeword returns.





--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list