Vendor-Specific Attributes

Fri, 07 May 2004 10:02:33 -0700 

I seem to be missing something. how should the values be defined in the
users file to achieve the specification below. Should I separate the
Cisco routers and the 3Com switches in the huntgroups file? Is it
permissible for there to be multiple Vendors Vendor-Specific values  on
a "users" entry re:

DEFAULT Service-Type == Administrative-User, Autz-Type := ADMINS,
Auth-Type := Kerberos
        Service-Type = Administrative-User,
        3com = 3Com-Administrator,
        Cisco-AVPair = "xxx:whatever=3",
        Fall-Through = no



3Com Vendor Specific Attribute 

The default user levels on the Switch (monitor, manager, admin) are
supported by a 3Com Vendor Specific Attribute (VSA). The Vendor-ID for
3Com is 43. You must configure the RADIUS server to send this attribute
in the Access-Accept message in order to specify the access level
required for each user account. The configurable attribute values are:

   Monitor (1)   the user can view all manageable parameters, except
special/security features, but cannot change any manageable parameters.

   Manager (2)   the user can access and change the operational
parameters but not special/security features.

   Administrator (3)   the user can access and change all manageable
parameters.

The attribute body consists of a 3Com Vendor type (1), Vendor data
length (6) and the Vendor data (4 octet integer containing the access
level value), as shown in Figure 25. 

Figure 25 3Com Vendor Specific Attribute 
0                   1                   2                   3  
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1     
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type=26     | Length=12     | Vendor-Id = 3Com (43)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont)              | 3Com type = 1 | Length = 6      |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| User-Access-Level                                             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

radiusd is receiving:
        User-Name = "klg"
        User-Password = "12345678"
        NAS-Port-Type = Virtual
        NAS-IP-Address = 111.111.11.111
        Service-Type = Administrative-User
        Framed-MTU = 1024
        Calling-Station-Id = "123.123.123.123"
        Message-Authenticator = 0x3ddf5a8a5d1177f4277dcd8ccc451b8a
        Client-IP-Address = 123.123.123.124

It's authorizing, authenticating, and replying with
Packet-Type = Access-Accept
        Service-Type = Administrative-User



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to