(RADIATOR) Client identifier

[Garry Peirce]

Henning,

I'm not exactly sure I understand your ultimate goal, but it sounds close
enough to something I'm doing so I thought I might reply.

I have a large number of clients and various groups of users.
Each user is allowed to authenticate against certain groups of devices.

Client definitions are built using a client INCLUDEd perl script.
The script queries a dB  and builds a client clause for each device.
Note: I'm not sure if a method for a DNS issue I had was ever included into
the main code, so I've a hack in place to determine the FQDN for NASs that
have multiple IPs associated to them. This allows me to define clients by
name, not IP.

Ex. 
<Client device1.somthing.com>
              NasType Cisco
              Secret secret1
              DefaultRealm NOC
              AddToRequest
Class=access,Identifier=groupA,Login-LAT-Node=cityZ
</Client>

<Handler Realm = "NOC",Service-Type = "Login-User">
(flood control omitted)
AddToReplyIfNotExist Service-Type = Login-User,cisco-avpair =
"shell:priv-lvl=1"
     AuthBy                  Auth-NOCGroup
     AuthBy                  Acct-SQL
</Handler>

<AuthBy GROUP>
        Identifier Auth-NOCGroup
        RewriteUsername s/^([^@]+).*/$1/
        AuthByPolicy ContinueWhileAccept
        AuthBy Auth-File
#       AuthBy Auth-SQL
        AuthBy Auth-LDAP
</AuthBy>

<AuthBy FILE>
        Identifier  Auth-File
        Filename    /etc/radiator/noc_users
</AuthBy>

This flatfile contains entries such as:
user1        Identifier=groupA|groupB
user2        NAS-IP-Address=10.1.1.1|192.168.2.13
user3  	 Identifier=groupC,Time = "Al0700-2200"
user4	

user4 would be able to try and authenticate on any device.

--
Garry Peirce   +1-207-561-3539
Network Analyst,  ITS
University of Maine System


-----Original Message-----
From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On
Behalf Of Henning Markussen
Sent: Monday, May 19, 2008 6:03 AM
To: radiator at open.com.au
Subject: (RADIATOR) Client identifier

Hello

I have a task where i need to separate a lot of network devices, who is
allowed to logon, and who is not.

The problem is that I don't have a list of all the ip addresses
Currently I'm using this setup to handle all devices the same.

<Client DEFAULT>
      Secret xxxx
      Identifier Default
</Client>

and then later the
<Handler Client-Identifier = Default>
</Handler>

Since I don't have a complete list of ip adresses, my plan was maybe to
use diffrent secrets.

<Client other>
      Secret verysecret1
      Identifier other
</Client>

<Client DEFAULT>
      Secret verysecret1
      Identifier Default
</Client>


and then

<Handler Client-Identifier = other>
do something
</Handler>

<Handler Client-Identifier = Default>
do something
</Handler>

But it seems that the Client part, has to be ip specific or the default
class.

I looked at IdenticalClients, but that again comes back to the problem
that I don't have a complete ip list.

Is there a other way/option/approach that I have missed?
Or any other ideas ....

- Henning

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.