On Tuesday 24 January 2006 11:24, Laker Netman wrote: > I have a Cisco 3660 router configured for dialup AAA > through FR (1.0.5) to access our LAN. I also have the > login to the router itself, for admin, authenticating > through FR (MySQL backend). > The same DB is used for all auth, so currently anyone > with a dialup account could also telnet into the > router. This leaves only my 'enable' password to > prevent problems. > I want to configure FR to eliminate this ability for > all but a select group of users (admins). There are > other devices I would like to add to the list later. > I've been looking at huntgroups as the solution, but > was unsure how (or if) this could be handled via sql > rather than the users file. > > Is anyone doing this and could provide a sample config > layout? > > Thx, > Laker
Setup auth detail logs, or run in debug mode, to see what special attributes are sent when an admin logs into the router. With that info, setup a huntgroup that matches on all or a subset of those attributes and add that as a check item for your admin users. We specify the password for the admin user because we didn't want the admin passwords to be the same as the dialup passwords. An example of what we use is below. Kevin Bonner == huntgroups == admin Service-Type == Login-User, NAS-Port-Type == Virtual, Calling-Station-Id == "AAA.BBB.CCC.DDD" == end huntgroups == == users == DEFAULT Huntgroup-Name == "admin" Cisco-AVPair := "shell:priv-lvl=1", Fall-Through = 1 keb Huntgroup-Name == "admin", Crypt-Password == "..." ... more admin entries ... # reject all admin auth DEFAULT Huntgroup-Name == "admin", Auth-Type := Reject == end users ==
pgpBonQDi1CXG.pgp
Description: PGP signature
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html