On 10 Jul 2013, at 12:46, Mathieu Simon <[email protected]> wrote:
> G'day list > > > I have been tinkering with some Netgear managed L2/L3 switching stuff and > got the > login working via freeradius (actually quite simple compared to EAP stuff for > wireless). > > But when issuing "enable" after login, going into what they call "Privileged > EXEC" mode > it will - very similar to Cisco - send a request for a user $enab15$ to the > radius server > when FR doesn't send Cisco own attribute value pair for privileges. > > At leat defining such a user leads to working elevation to this privileged > mode > but requires it instead of using the network admin's own password. > > In general a lot of commands on these Netgears are (very much) simiar to > Cisco IOS > where one can use "shell:priv-lvl=15" avpair during authentication so the > Cisco switch/router > know privilege level of the logged in user and thus won't ask for a $enab15$ > user. > > FreeRADIUS doesn't have a dictionnary for Netgear stuff yet, I don't think > Netgear > copied Cisco's own AVpair use, but in case they do have own AV pairs, how do > you guys generally identify them? By asking Netgear. There's no way to query the NAS to determine which attributes it supports. Or to decode unknown VSAs into meaningful data. This is not a limitation of FreeRADIUS, but a limitation of the protocol. -Arran Arran Cudbard-Bell <[email protected]> FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
