Hello Frank -
On Thu, 31 Aug 2000, FlintHillsTechnical Support wrote:
> Hello--
>
> We have Ascend NASes and a Cisco router that has other NASes
connected to it via L2F tunnels. We are trying to restrict who can telnet to
the Cisco router. Previously, we did not have the NASes connected to the Cisco
so access was restricted by placing the Cisco in a separate realm pointing to a
users file that only the users allowed on the router were in. The Ascend NASes
were in another realm pointing to a separate users file that all of the dialup
users authenticated from.
> However, now we have dialup users coming through
the Cisco from external NASes and this will not work and essentially anyone
could telnet to the router.
> First, we created a common users file and used a
check item of Service-Type = Framed User and set administrators(those who
needed access to the Cisco) with no Service-Type check item so they could
telnet to the router OR dial in via ppp.
> But now we realize (much to our
dismay)that we have users who dial into the Ascend's TermSrv with Linux and
older Macs that utilize scripts. When accessing this way the Service-Type is
passed as Login-User and not Framed User.
> Does anyone have ideas on this?
Essentially we want only a few users telnet access to the Cisco yet still allow
the script users their method of access. I have looked through the archive some
but really I don't know the best way to search for this issue. Are we
approaching this correctly by utilizing check items?
You will have to look at the trace 4 packet dumps of the relevant radius
request packets to see what (if anything) is different between the various
requests. You may find that seperate Handlers for the different classes of user
is a better approach rather than a single users file. You might also consider
having your administrative users log in with a special realm, such as
"[EMAIL PROTECTED]" (perhaps in conjunction with our RadKey product or
something similar).
hth
Hugh
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
