Norman Zhang wrote:
> I have the following setup for users
>
> DEFAULT Auth-Type = System
> Fall-Through = Yes,
> cisco-avpair = "shell:priv-lvl=1",
> Service-Type = NAS-Prompt-User
>
> DEFAULT Group == router-ro
> cisco-avpair := "shell:priv-lvl=7"
>
> DEFAULT Group == router-rw
> cisco-avpair := "shell:priv-lvl=15"
>
> However, system users not in group router-ro or router-rw are still able
> to login with privilege level = 1.
Because you configured the server to permit that. Please read "man
users" to see how the "users" file works.
> Is there a way to force only group
> router-ro and router-rw can login?
Switch the entries around:
DEFAULT Group == router-ro
Fall-Through = Yes,
cisco-avpair := "shell:priv-lvl=7"
DEFAULT Group == router-rw
Fall-Through = Yes,
cisco-avpair := "shell:priv-lvl=15"
DEFAULT Auth-Type = System
Service-Type = NAS-Prompt-User
And do NOT just blindly try it and see if it works. Spend some time
understanding it first.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
