[RADIATOR] Multiple levels of priveleges based on UNIX group membership?

Johnson, Neil M neil-johnson at uiowa.edu
Thu Feb 13 19:02:32 UTC 2020 

Is the following snippet radius.cfg and users file workable?

The goal is to have users authenticate with a unix account and then based on their unix group membership, assign different privilege levels to the switch CLI (cisco).


### radius.cfg

# LC Wired net devices
<Client 172.24.128.0/20>
    IdenticalClients fd9a:2c75:7d0c:1017::/64
    # CB area Wired net devices
    IdenticalClients 172.24.160.0/20
    IdenticalClients fd9a:2c75:7d0c:201a::/64
    # BSB area Wired net devices
    IdenticalClients 172.24.192.0/20
    IdenticalClients fd9a:2c75:7d0c:3020::/64
    # Oakdale (ITF) area Wired net devices
    IdenticalClients 172.24.224.0/20
    IdenticalClients fd9a:2c75:400c:3020::/64
    #
    Identifier EDGE_Switches
    Secret  SECRET
    DupInterval 0
</Client>

<AuthBy GROUP>
    Identifier local_thing_users_group

    AuthByPolicy ContinueWhileAccept

    # rewrite username to prepend lu_ (i.e., jcmuelle becomes lu_jcmuelle)
    RewriteUsername s/(.*)/lu_$1/

    # Authenticate user via UNIX account
    <AuthBy UNIX>
        AuthenProto PAP, Unknown
        Filename /etc/shadow
        GroupFileName /etc/group
        Nocache
    </AuthBy>

    # Authorize users by UNIX Group membership
    <AuthBy FILE>
        Filename %D/users
    </AuthBy>

</AuthBy>

# Handler for "EDGE_Switches" (testing)
<Handler Client-Identifier="EDGE_Switches">

    AuthByPolicy ContinueWhileReject
    AuthBy local_thing_users_group

    AcctLogFileName /var/log/neg/radius/radiator.acct
    ExcludeRegexFromPasswordLog .*
    AuthLog authlogger

</Handler>

### USERS FILE

# EDGE Network Switches (Admins)
DEFAULT Auth-Type = local_thing_users, Client-Identifier = EDGE_Switches, Group = nesstaff
   Session-Timeout=0,cisco-avpair=shell:roles="network-admin",cisco-avpair=shell:priv-lvl=15

# EDGE Network Switches (Limited Access)
DEFAULT Auth-Type = local_thing_users, Client-Identifier = EDGE_Switches, Group = pistaff
   Session-Timeout=0,cisco-avpair=shell:roles="pi-admin",cisco-avpair=shell:priv-lvl=7

--
Neil Johnson
Network Architect
The University of Iowa
319 384-0938
neil-johnson at uiowa.edu<mailto:neil-johnson at uiowa.edu>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20200213/70a0f9dd/attachment.html>

More information about the radiator mailing list