Hi all,
This is my first posting to the list, so go easy on me, OK? :-)
We have recently purchased Radiator to use with our current home-grown
authorisation/time accounting system (primarily to allow us to do volume
accounting). We currently use XTACACS on our Cisco AS5300 and 2511 NAS's
("tacacs-server ..." in IOS configurations).
I have written a wrapper program around our existing auth/acct programs
to be called by <AuthBy EXTERNAL> and successfully tested it with a test
radiusd.cfg and radpwtst. So far so good.
What I would like to do now is convert the NAS's to use Radius and
provide similar functionality/behaviour as we currently have with
XTACACS, which is:
- provide access to different user groups, e.g. group 1 can only call
into NAS 1, group 2 can call both NAS 1 and NAS 2, etc, and admins
can call into any NAS.
combined with ...
- provide 3 levels of service/access:
1) limited exec shell/connect access to our main server for
telnet/terminal access only.
2) SLIP/PPP access [note 1]
3) Authenticated "enable" access for router admins [note 2].
Note 1: for historical reasons, all users must currently login to
the NAS, then type 'ppp default' to start PPP (likewise for anyone
still using SLIP). We need to preserve this behaviour with Radius
in order not to upset the users :-) So automatic startup of PPP
is out of the question initially.
Note 2: the current XTACACS functionality requires the router admin
logs in to the NAS with their normal username/password, then types
'enable', when they are prompted for their username/password again;
if possible I would like to preserve this behaviour with Radius.
(I have experimented with returning Service-Type = Administrative-User
but this immediately gives me full enable privileges, which isn't
what I want)
I've tried searching the list archives and the configs in the
Radiator goodies/ directory, but haven't found the answers.
Can anyone give me some pointers (or example configs) that will
achieve this (for both IOS and Radiator).
Thanks,
Jeremy
--
Jeremy Bishop
[EMAIL PROTECTED]
Australian Unix User Group (AUUG) Canberra Chapter
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
