[RADIATOR] Evaluating RADIATOR

Rafael Rodriguez packetjockey at gmail.com
Tue Nov 8 12:36:23 CST 2011


Hi list,

We are in the process of evaluating RADIATOR for our AAA needs.  We are
still in the initial stages of eval and are noticing that RADIATOR is
extremely flexible and also a bit daunting (not a bad thing) at first
glance because of all the options it has.  The ref manual and the goodies
has a bunch of great info but I want to make sure that RADIATOR satisfy our
needs before sending loads of time playing with it.

Here is what we need:
Juniper (JUNOS) devices to authenticate users via TACACS+.  Authentication
of the users should be done via 1) LDAPS queries to Active Directory and/or
2) local accounts.  If Authentication is done by 1) then check Active
Directory group membership to determine which local RADIATOR group(s) the
user is mapped to.  RADIATOR groups = user's permissions.  If
Authentication is done by 2) then just check local RADIATOR group(s) for
user permissions.

I don't know if there is such a thing as 'mappings' between AD groups and
local RADIATOR groups or how this would actually work.

As far as Accounting goes, I know RADIATOR can write to a log file but can
we also use syslog?

Is it possible to have 'groups' of NAS devices?  Something like NAS groups
Routers, Firewalls, etc.?  If so how does one determine into which group
does a NAS device fall into?  Can we do this via IP, IP/Mask, some TACACS+
attribute, etc?

>From a 10k foot view of RADIATOR, what are the major configuration/policy
components available to users?  Is there such a thing as NAS client groups,
Authentication and Authorization "role mappings"?

Does anyone have a working configuration they could share for the LDAPS
queries to AD and Authorization based on AD group members?  Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20111108/f4b77c49/attachment.html 


More information about the radiator mailing list