(RADIATOR) Client identifier
Henning Markussen
hm at mib.dk
Tue May 20 06:05:30 CDT 2008
Hi
Hmm ... ok
what if I used the default clause twice?
Would it then first try the first client section, it fails
and then try the second client section?
<Client DEFAULT>
Secret verysecret1
Identifier other
</Client>
<Client DEFAULT>
Secret verysecret2
Identifier Default
</Client>
and then afterwards use the handler section to make user validation etc.
- Henning
Hugh Irvine wrote:
>
> Hello Henning -
>
> Unfortunately there is no way to check multiple shared secrets -
> Radiator has no way of knowing if the shared secret is correct or not
> (indeed the RADIUS protocol has no way of knowing). And further, the
> correct shared secret is required for the reply to the particular client
> device.
>
> I'm afraid I can't really think of any way to do what you describe, but
> if you could send me a sample trace 4 debug from Radiator showing a
> couple of typical access requests from a couple of different devices,
> I'll have another look.
>
> regards
>
> Hugh
>
>
> On 20 May 2008, at 14:08, Henning Markussen wrote:
>
>> Hello
>>
>> My plan was to check with a external script in the handler section if
>> a person was member of a specific group.
>>
>> <Handler Client-Identifier = other>
>> check that user is member of group20
>> </Handler>
>>
>> <Handler Client-Identifier = Default>
>> check that user is member of group10
>> </Handler>
>>
>> so if the device uses "Secret verysecret1", the user must be a member
>> of the group1 to logon, and if the device uses "Secret verysecret2"
>> you have to be a member of group10.
>>
>> This is just simple part, but this give give the option to check for a
>> lot of other things after I check if a user is a member of that
>> specific group.
>>
>> This was the only plan I had to determine if a device was in group a
>> or b. Might not be the best way - so that is why the mail to the
>> maillist.
>>
>> My problem is again that I don't have a complete list of all the
>> devices , and I was hoping to make it as flexible so that people can
>> just change the secret and I didn't have to have a list of all the
>> ipadresses to maintain afterwards. And that is way I looked at secret
>> to find the difference.
>>
>> If you have any other questions just let me know.
>>
>> - Henning
>>
>> Hugh Irvine wrote:
>>> Hello Henning -
>>> How are you going to know which people are allowed to log in to which
>>> device?
>>> I think you may need to do the check as part of the authentication
>>> rather than by using the Client-Identifier.
>>> If you can give me a bit more information I will try to make a better
>>> suggestion.
>>> regards
>>> Hugh
>>> On 19 May 2008, at 20:02, Henning Markussen wrote:
>>>> Hello
>>>>
>>>> I have a task where i need to separate a lot of network devices, who is
>>>> allowed to logon, and who is not.
>>>>
>>>> The problem is that I don't have a list of all the ip addresses
>>>> Currently I'm using this setup to handle all devices the same.
>>>>
>>>> <Client DEFAULT>
>>>> Secret xxxx
>>>> Identifier Default
>>>> </Client>
>>>>
>>>> and then later the
>>>> <Handler Client-Identifier = Default>
>>>> </Handler>
>>>>
>>>> Since I don't have a complete list of ip adresses, my plan was maybe to
>>>> use diffrent secrets.
>>>>
>>>> <Client other>
>>>> Secret verysecret1
>>>> Identifier other
>>>> </Client>
>>>>
>>>> <Client DEFAULT>
>>>> Secret verysecret1
>>>> Identifier Default
>>>> </Client>
>>>>
>>>>
>>>> and then
>>>>
>>>> <Handler Client-Identifier = other>
>>>> do something
>>>> </Handler>
>>>>
>>>> <Handler Client-Identifier = Default>
>>>> do something
>>>> </Handler>
>>>>
>>>> But it seems that the Client part, has to be ip specific or the default
>>>> class.
>>>>
>>>> I looked at IdenticalClients, but that again comes back to the problem
>>>> that I don't have a complete ip list.
>>>>
>>>> Is there a other way/option/approach that I have missed?
>>>> Or any other ideas ....
>>>>
>>>> - Henning
>>>>
>>>> --
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>> NB:
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive
>>> (www.open.com.au/archives/radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>> Have you checked the RadiusExpert wiki:
>>> http://www.open.com.au/wiki/index.php/Main_Page
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list