(RADIATOR) Client identifier
Garry Peirce
peirce at maine.edu
Thu May 22 15:09:40 CDT 2008
Henning,
I'm not exactly sure I understand your ultimate goal, but it sounds close
enough to something I'm doing so I thought I might reply.
I have a large number of clients and various groups of users.
Each user is allowed to authenticate against certain groups of devices.
Client definitions are built using a client INCLUDEd perl script.
The script queries a dB and builds a client clause for each device.
Note: I'm not sure if a method for a DNS issue I had was ever included into
the main code, so I've a hack in place to determine the FQDN for NASs that
have multiple IPs associated to them. This allows me to define clients by
name, not IP.
Ex.
<Client device1.somthing.com>
NasType Cisco
Secret secret1
DefaultRealm NOC
AddToRequest
Class=access,Identifier=groupA,Login-LAT-Node=cityZ
</Client>
<Handler Realm = "NOC",Service-Type = "Login-User">
(flood control omitted)
AddToReplyIfNotExist Service-Type = Login-User,cisco-avpair =
"shell:priv-lvl=1"
AuthBy Auth-NOCGroup
AuthBy Acct-SQL
</Handler>
<AuthBy GROUP>
Identifier Auth-NOCGroup
RewriteUsername s/^([^@]+).*/$1/
AuthByPolicy ContinueWhileAccept
AuthBy Auth-File
# AuthBy Auth-SQL
AuthBy Auth-LDAP
</AuthBy>
<AuthBy FILE>
Identifier Auth-File
Filename /etc/radiator/noc_users
</AuthBy>
This flatfile contains entries such as:
user1 Identifier=groupA|groupB
user2 NAS-IP-Address=10.1.1.1|192.168.2.13
user3 Identifier=groupC,Time = "Al0700-2200"
user4
user4 would be able to try and authenticate on any device.
--
Garry Peirce +1-207-561-3539
Network Analyst, ITS
University of Maine System
-----Original Message-----
From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On
Behalf Of Henning Markussen
Sent: Monday, May 19, 2008 6:03 AM
To: radiator at open.com.au
Subject: (RADIATOR) Client identifier
Hello
I have a task where i need to separate a lot of network devices, who is
allowed to logon, and who is not.
The problem is that I don't have a list of all the ip addresses
Currently I'm using this setup to handle all devices the same.
<Client DEFAULT>
Secret xxxx
Identifier Default
</Client>
and then later the
<Handler Client-Identifier = Default>
</Handler>
Since I don't have a complete list of ip adresses, my plan was maybe to
use diffrent secrets.
<Client other>
Secret verysecret1
Identifier other
</Client>
<Client DEFAULT>
Secret verysecret1
Identifier Default
</Client>
and then
<Handler Client-Identifier = other>
do something
</Handler>
<Handler Client-Identifier = Default>
do something
</Handler>
But it seems that the Client part, has to be ip specific or the default
class.
I looked at IdenticalClients, but that again comes back to the problem
that I don't have a complete ip list.
Is there a other way/option/approach that I have missed?
Or any other ideas ....
- Henning
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list