[RADIATOR] Infinera with AuthBy SQL

nhovha at gmail.com nhovha at gmail.com
Wed Dec 4 21:33:59 CST 2013 

Hi

I have been tasked with getting our new Infinera infrastructure to
authenticate against our radiator servers.

The catch here is that our current configuration is  TACACS+ for our
Cisco equipment and the Infinera kit only supports Radius.

We wanted to use the same database (example below) so that our
engineers would have the same credentials and access levels across
both environments.

| test                   | {SSHA}****     | tacacsgroup = admin      |
| test2                 | {SSHA}****     | tacacsgroup = readonly  |

I have a working solution but was wondering if there was a more
elegant way keeping in mind that I probably can't touch the database.

<Realm DEFAULT>
AuthByPolicy ContinueUntilAccept

    <AuthBy SQL>
       Identifier tacacsauth
       DBSource dbi:mysql:tacacs
       DBUsername radius
       DBAuth *********

       NoDefault
       NoDefaultIfFound
       IgnoreAccounting
       FailureBackoffTime 10

       AuthSelect select password, checkattr, replyattr \
           from tacacsUser \
           where username=%0 \
           and replyattr rlike "admin$"
       AuthColumnDef 0, Encrypted-Password, check

       AddToReply Infinera-User-Priv-SA = SA-PRIVILEGED,\
       Infinera-User-Priv-NE = NE-PRIVILEGED,\
       Infinera-User-Priv-NA = NA-PRIVILEGED,\
       Infinera-User-Priv-PR = PR-PRIVILEGED,\
       Infinera-User-Priv-TT = TT-PRIVILEGED,\
       Infinera-User-AdminDomain = "FX,LAB",\
       Infinera-User-Max-Concurrent-Session =2,\
       Infinera-User-Allowed-Timezone-Config = TIMEZONE-CONFIG-ALLOW,\
       Infinera-User-TimeZone = "IST",\
       Service-Type = Framed-User,\
       Framed-Protocol = PPP,\
       Framed-IP-Netmask = 255.255.255.255,\
       Framed-Routing = None,\
       Framed-MTU = 1500,\
       Framed-Compression = Van-Jacobson-TCP-IP
    </AuthBy>

    <AuthBy SQL>
           Identifier tacacsauth
           DBSource dbi:mysql:tacacs
           DBUsername radius
           DBAuth iepu0oeC

           NoDefault
           NoDefaultIfFound
           IgnoreAccounting
           FailureBackoffTime 10

           AuthSelect select password, checkattr, replyattr \
               from tacacsUser \
               where username=%0 \
               and replyattr rlike "readonly$"
           AuthColumnDef 0, Encrypted-Password, check

           AddToReply Infinera-User-Priv-SA = SA-NONPRIVILEGED,\
           Infinera-User-Priv-NE = NE-NONPRIVILEGED,\
           Infinera-User-Priv-NA = NA-NONPRIVILEGED,\
           Infinera-User-Priv-PR = PR-NONPRIVILEGED,\
           Infinera-User-Priv-TT = TT-NONPRIVILEGED,\
           Infinera-User-Priv-MA = MA-PRIVILEGED,\
           Infinera-User-AdminDomain = "FX,LAB",\
           Infinera-User-Max-Concurrent-Session =2,\
           Infinera-User-Allowed-Timezone-Config = TIMEZONE-CONFIG-ALLOW,\
           Infinera-User-TimeZone = "IST",\
           Service-Type = Framed-User,\
           Framed-Protocol = PPP,\
           Framed-IP-Netmask = 255.255.255.255,\
           Framed-Routing = None,\
           Framed-MTU = 1500,\
           Framed-Compression = Van-Jacobson-TCP-IP
    </AuthBy>
</Realm>

Any ideas would be appreciated.

Regards
Derick

More information about the radiator mailing list