[RADIATOR] Infinera with AuthBy SQL
Hugh Irvine
hugh at open.com.au
Wed Dec 4 22:30:18 CST 2013
Hello -
I generally find it easiest to use Identifiers in the Client clauses with corresponding Handlers instead of Realm(s).
Something like this:
…..
<Client 1.1.1.1>
Identifier Infinera
…..
</Client>
<Client 2.2.2.2>
Identifier Infinera
…..
</Client>
<Client 3.3.3.3>
Identifier Infinera
…..
</Client>
…..
<ServerTACACSPLUS>
…..
AddToRequest NAS-Identifier=TACACS
</ServerTACACSPLUS>
# Deal with Infinera devices
<Handler Client-Identifier = Infinera>
…..
</Handler>
# Deal with TACACS
<Handler NAS-Identifier = TACACS>
…..
</Handler>
…..
regards
Hugh
On 5 Dec 2013, at 14:33, nhovha at gmail.com wrote:
> Hi
>
> I have been tasked with getting our new Infinera infrastructure to
> authenticate against our radiator servers.
>
> The catch here is that our current configuration is TACACS+ for our
> Cisco equipment and the Infinera kit only supports Radius.
>
> We wanted to use the same database (example below) so that our
> engineers would have the same credentials and access levels across
> both environments.
>
> | test | {SSHA}**** | tacacsgroup = admin |
> | test2 | {SSHA}**** | tacacsgroup = readonly |
>
> I have a working solution but was wondering if there was a more
> elegant way keeping in mind that I probably can't touch the database.
>
> <Realm DEFAULT>
> AuthByPolicy ContinueUntilAccept
>
> <AuthBy SQL>
> Identifier tacacsauth
> DBSource dbi:mysql:tacacs
> DBUsername radius
> DBAuth *********
>
> NoDefault
> NoDefaultIfFound
> IgnoreAccounting
> FailureBackoffTime 10
>
> AuthSelect select password, checkattr, replyattr \
> from tacacsUser \
> where username=%0 \
> and replyattr rlike "admin$"
> AuthColumnDef 0, Encrypted-Password, check
>
> AddToReply Infinera-User-Priv-SA = SA-PRIVILEGED,\
> Infinera-User-Priv-NE = NE-PRIVILEGED,\
> Infinera-User-Priv-NA = NA-PRIVILEGED,\
> Infinera-User-Priv-PR = PR-PRIVILEGED,\
> Infinera-User-Priv-TT = TT-PRIVILEGED,\
> Infinera-User-AdminDomain = "FX,LAB",\
> Infinera-User-Max-Concurrent-Session =2,\
> Infinera-User-Allowed-Timezone-Config = TIMEZONE-CONFIG-ALLOW,\
> Infinera-User-TimeZone = "IST",\
> Service-Type = Framed-User,\
> Framed-Protocol = PPP,\
> Framed-IP-Netmask = 255.255.255.255,\
> Framed-Routing = None,\
> Framed-MTU = 1500,\
> Framed-Compression = Van-Jacobson-TCP-IP
> </AuthBy>
>
> <AuthBy SQL>
> Identifier tacacsauth
> DBSource dbi:mysql:tacacs
> DBUsername radius
> DBAuth iepu0oeC
>
> NoDefault
> NoDefaultIfFound
> IgnoreAccounting
> FailureBackoffTime 10
>
> AuthSelect select password, checkattr, replyattr \
> from tacacsUser \
> where username=%0 \
> and replyattr rlike "readonly$"
> AuthColumnDef 0, Encrypted-Password, check
>
> AddToReply Infinera-User-Priv-SA = SA-NONPRIVILEGED,\
> Infinera-User-Priv-NE = NE-NONPRIVILEGED,\
> Infinera-User-Priv-NA = NA-NONPRIVILEGED,\
> Infinera-User-Priv-PR = PR-NONPRIVILEGED,\
> Infinera-User-Priv-TT = TT-NONPRIVILEGED,\
> Infinera-User-Priv-MA = MA-PRIVILEGED,\
> Infinera-User-AdminDomain = "FX,LAB",\
> Infinera-User-Max-Concurrent-Session =2,\
> Infinera-User-Allowed-Timezone-Config = TIMEZONE-CONFIG-ALLOW,\
> Infinera-User-TimeZone = "IST",\
> Service-Type = Framed-User,\
> Framed-Protocol = PPP,\
> Framed-IP-Netmask = 255.255.255.255,\
> Framed-Routing = None,\
> Framed-MTU = 1500,\
> Framed-Compression = Van-Jacobson-TCP-IP
> </AuthBy>
> </Realm>
>
> Any ideas would be appreciated.
>
> Regards
> Derick
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
hugh at open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc.
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
More information about the radiator
mailing list