Hello Jeremy -
On Saturday 06 January 2001 13:26, [EMAIL PROTECTED] wrote:
> Hi all,
>
> This is my first posting to the list, so go easy on me, OK? :-)
>
> We have recently purchased Radiator to use with our current home-grown
> authorisation/time accounting system (primarily to allow us to do volume
> accounting). We currently use XTACACS on our Cisco AS5300 and 2511 NAS's
> ("tacacs-server ..." in IOS configurations).
>
> I have written a wrapper program around our existing auth/acct programs
> to be called by <AuthBy EXTERNAL> and successfully tested it with a test
> radiusd.cfg and radpwtst. So far so good.
>
> What I would like to do now is convert the NAS's to use Radius and
> provide similar functionality/behaviour as we currently have with
> XTACACS, which is:
>
> - provide access to different user groups, e.g. group 1 can only call
> into NAS 1, group 2 can call both NAS 1 and NAS 2, etc, and admins
> can call into any NAS.
>
What type of database are you using for your user records? And are the
different groups mentioned above in different databases? The answer to the
above will determine which solution is best.
> combined with ...
>
> - provide 3 levels of service/access:
> 1) limited exec shell/connect access to our main server for
> telnet/terminal access only.
> 2) SLIP/PPP access [note 1]
> 3) Authenticated "enable" access for router admins [note 2].
>
> Note 1: for historical reasons, all users must currently login to
> the NAS, then type 'ppp default' to start PPP (likewise for anyone
> still using SLIP). We need to preserve this behaviour with Radius
> in order not to upset the users :-) So automatic startup of PPP
> is out of the question initially.
>
In this case the users will log in to the NAS which will send a Service-Type
of Login-User in the access request. You will need to return an access accept
with the same Service-Type = Login-User.
> Note 2: the current XTACACS functionality requires the router admin
> logs in to the NAS with their normal username/password, then types
> 'enable', when they are prompted for their username/password again;
> if possible I would like to preserve this behaviour with Radius.
> (I have experimented with returning Service-Type = Administrative-User
> but this immediately gives me full enable privileges, which isn't
> what I want)
>
This is undoubtedly a NAS configuration issue.
> I've tried searching the list archives and the configs in the
> Radiator goodies/ directory, but haven't found the answers.
> Can anyone give me some pointers (or example configs) that will
> achieve this (for both IOS and Radiator).
>
There are some additional items in the FAQ covering Cisco configuration.
http://www.open.com.au/radiator/faq.html
regards
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
