Hello--
We have tried to implement Handlers which work, sorta! We now can allow any user to
connect to our Ascends despite their Service-Type and we can restrict who can telnet
to the Cisco. However, when we try to dial into the external NAS that is connected to
the Cisco as a normal user it is rejected and in the debug file is
Aug 31 15:44:45 x.x.x.x /usr/bin/radiusd[11856]: Access rejected for pja: No such user
Here are our 2 examples of our Clients and our Handler statements. I am pretty sure
this is a syntax issue....
<Client x.x.x.x>
Secret xxxxxx
DefaultRealm cisco.flinthills.com
</Client>
<Client x.x.x.x>
Secret xxxxxx
DefaultRealm ascend.flinthills.com
</Client>
<Handler Realm=ascend.flinthills.com>
RewriteUsername tr/A-Z/a-z/
RewriteUsername s/\@ascend\.flinthills\.com//
<AuthBy DBFILE>
Filename %D/users
</AuthBy>
AcctLogFileName %L/acct-radius
WtmpFileName %L/wtmp-radius
</Handler>
<Handler Service-Type=Framed-User, Realm=cisco.flinthills.com>
RewriteUsername tr/A-Z/a-z/
RewriteUsername s/\@cisco\.flinthills\.com//
<AuthBy DBFILE>
Filename %D/users
</AuthBy>
AcctLogFileName %L/acct-radius
WtmpFileName %L/wtmp-radius
</Handler>
<Handler Realm=cisco.flinthills.com>
RewriteUsername tr/A-Z/a-z/
RewriteUsername s/\@cisco\.flinthills\.com//
<AuthBy DBFILE>
Filename %D/netadm
</AuthBy>
AcctLogFileName %L/acct-radius
WtmpFileName %L/wtmp-radius
</Handler>
Any help on this would be greatly appreciated!!!
TIA
Frank
>>
>> We have Ascend NASes and a Cisco router that has other NASes
>connected to it via L2F tunnels. We are trying to restrict who can telnet to
>the Cisco router. Previously, we did not have the NASes connected to the Cisco
>so access was restricted by placing the Cisco in a separate realm pointing to a
>users file that only the users allowed on the router were in. The Ascend NASes
>were in another realm pointing to a separate users file that all of the dialup
>users authenticated from.
>
>> However, now we have dialup users coming through
>the Cisco from external NASes and this will not work and essentially anyone
>could telnet to the router.
>
>> First, we created a common users file and used a
>check item of Service-Type = Framed User and set administrators(those who
>needed access to the Cisco) with no Service-Type check item so they could
>telnet to the router OR dial in via ppp.
>
>> But now we realize (much to our
>dismay)that we have users who dial into the Ascend's TermSrv with Linux and
>older Macs that utilize scripts. When accessing this way the Service-Type is
>passed as Login-User and not Framed User.
>
>> Does anyone have ideas on this?
>Essentially we want only a few users telnet access to the Cisco yet still allow
>the script users their method of access. I have looked through the archive some
>but really I don't know the best way to search for this issue. Are we
>approaching this correctly by utilizing check items?
>
>You will have to look at the trace 4 packet dumps of the relevant radius
>request packets to see what (if anything) is different between the various
>requests. You may find that seperate Handlers for the different classes of user
>is a better approach rather than a single users file. You might also consider
>having your administrative users log in with a special realm, such as
>"[EMAIL PROTECTED]" (perhaps in conjunction with our RadKey product or
>something similar).
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
