[RADIATOR] Evaluating RADIATOR

Heikki Vatiainen hvn at open.com.au
Wed Nov 9 10:01:25 CST 2011 

On 11/08/2011 08:36 PM, Rafael Rodriguez wrote:

Hello Rafael,

> Here is what we need:
> Juniper (JUNOS) devices to authenticate users via TACACS+.
>  Authentication of the users should be done via 1) LDAPS queries to
> Active Directory and/or 2) local accounts.  If Authentication is done by
> 1) then check Active Directory group membership to determine which local
> RADIATOR group(s) the user is mapped to.  RADIATOR groups = user's
> permissions.  If Authentication is done by 2) then just check local
> RADIATOR group(s) for user permissions.

> I don't know if there is such a thing as 'mappings' between AD groups
> and local RADIATOR groups or how this would actually work.

To do this, you could pull the AD group info into the request for later
processing. See AuthAttrDef.

There are ways to do this, you could maybe use AuthBy FILE with
AuthenticateAttribute or a simple hook that does the mapping.

> As far as Accounting goes, I know RADIATOR can write to a log file but
> can we also use syslog?

File and SQL are supported. There is no direct method to use syslog for
this.

> Is it possible to have 'groups' of NAS devices?  Something like NAS
> groups Routers, Firewalls, etc.?  If so how does one determine into
> which group does a NAS device fall into?  Can we do this via IP,
> IP/Mask, some TACACS+ attribute, etc?

Client, ClientListSQL and ClientListLDAP support specifying Identifier
for the client. Assign the same Identifier for each device that belongs
to a group. You can then select the group with e.g. <Handler
Client-Identifier=Router>. Note that you need recent patches because
there was a recent fix for this.

> From a 10k foot view of RADIATOR, what are the major
> configuration/policy components available to users?  Is there such a
> thing as NAS client groups, Authentication and Authorization "role
> mappings"?

Client Identifier was discussed above and reviewing GroupMemberAttr and
AuthorizeGroup options from goodies files and ref.pdf should show some
ideas how authorization info can be transferred.

Maybe these goodies files would be useful to check now:

tacacsplusserver.cfg, tacacsplustest and tacplus.txt

> Does anyone have a working configuration they could share for the LDAPS
> queries to AD and Authorization based on AD group members?  Thanks!

Thanks!
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list