[RADIATOR] Configuration Question

Heikki Vatiainen hvn at open.com.au
Tue Mar 13 18:19:34 CDT 2012 

On 03/13/2012 05:57 PM, Derek Rider wrote:

Hello Derek,

> We currently have an installation running Radiator 3.15. We use Radiator for
> TACACS authentication with Safeword.  We are moving to version 4.9.  Our
> current radius.cfg, for the default realm, authenticates
> users with the Authby File:
> 
> <Realm DEFAULT>
> 
> 	AuthByPolicy ContinueAlways

With this policy you will reply attributes will be collected from each
matching AuthBy. So if the user is matched by multiple AuthBys, these
all will contribute to the set of returned reply attributes. That will
likely to contribute to the maintenance nightmare too.


> 	<AuthBy FILE>
> 	Filename	%D/tacacsusers
> 	</AuthBy> ...
> 
> 	
> The file tacacusers has entries like the following:
> 
> UserOne
> 	Tacacs-Group = ADMIN
> UserTwo	NAS-IP-Address = 111.111.111.111
> 	Tacacs-Group = ADMIN
> UserThree	NAS-IP-Address = 222.222.222.222
> 	Tacacs-Group = ADMIN
>
> We then have about 300 additional AuthBy File statements.  Each file is for
> an individual device/IP at different locations.  Users in these files have
> different permissions as well.  For example, READNOCONFIG or READONLY.  This
> has gotten to be a maintenance nightmare.  Is there a better way to do this?

It's a bit hard to say how to how reduce the number of entries, but you
could consider the following:

- alternation, for example: NAS-IP-Address = 1.2.3.4|2.3.4.5
If a user has similar rights to multiple NASes, the above syntax can be
used to specify them all with one entry.

- other backends: If the information can be structured for e.g. SQL
relations, you could use SQL database to hold the authorization
information and query it with <AuthBy SQL>

It's hard to say exactly how to simplify your setup without knowing
better your setup.

> Also, we have a problem were a users rights for one device will change if
> that user authenticates to another device with a higher level.  For example,
> we see a user authenticating to a device at a read only level.  That same
> user will then authenticate to another device at an ADMIN level.  That users
> rights to the first device will be for an ADMIN.  

This problem is likely fixed with upgrade. From change log:
http://www.open.com.au/radiator/history.html

o Revision 4.6 (2010-02-05) New features and some bug fixes.

  The TacacsPlus group cache GroupCacheFile now uses the IP address
  of the client as part of the key, so that in situations where the
  group name depends on the client the correct group name will be
  retrieved

There are also many other Tacacs related changes. See the history file
for more.

Thanks!
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list