> From: "Kaczmarek, Thaddeus" <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Foundry command authorization help
> Date: Fri, 21 Nov 2003 11:21:00 -0500
> Reply-To: [EMAIL PROTECTED]
>
> This message is in MIME format. Since your mail reader does not understand
> this format, some or all of this message may not be legible.
>
> ------_=_NextPart_001_01C3B04B.734D7E00
> Content-Type: text/plain
>
> I am having some issues with command authorization. Foundry has a
> Foundry-Command-String attribute and suspect I am just a chucklehead :-)
>
> Syntax should be
>
> Foundry-Command-String = "configure terminal",
> Foundry-Command-String = "int ethernet 20",
> Foundry-Command-String = "speed-duplex *",
>
> or
> Foundry-Command-String = "configure terminal, int ethernet 20,
> speed-duplex *",
>
> I have tried both but am suspecting that Foundry does not support what I
> think they do :-)
>
> They have authorization levels 0,4 and 5. But in the cli you can only
> enter one. I am used to Cisco where you can have multiple ones hence my
> despair.
First, the Foundry dictionary file that comes with FreeRADIUS doesn't
have those attributes, so you'll need to edit it. What you need to add
is pretty straightforward in Foundry's docs. (I'll submit my dictionary
file to the project when I'm sure it's got everything; I just added some
stuff for their management software yesterday.)
Second, you'll need to give the user the appropriate priviledge level,
and use the command-exception-flag VSA to tell it to only allow those
commands. And then, list all the commands comma-separated in the
foundry-command-string attribute. What's below works for me:
maint Crypt-Password == "junk"
foundry-privilege-level = 0,
foundry-command-string = "copy running-config *; enable",
foundry-command-exception-flag = 0
This is with a FastIron 1500 running 07.6.03hT51.
Good luck,
Dave
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
