Hugh Irvine <[EMAIL PROTECTED]> writes: <...> > > What I would like to do now is convert the NAS's to use Radius and > > provide similar functionality/behaviour as we currently have with > > XTACACS, which is: > > > > - provide access to different user groups, e.g. group 1 can only call > > into NAS 1, group 2 can call both NAS 1 and NAS 2, etc, and admins > > can call into any NAS. > > > > What type of database are you using for your user records? And are the > different groups mentioned above in different databases? The answer to the > above will determine which solution is best. The database is DBM-based, currently called by various programs from xtacacsd when the user logs in/out and start/stops PPP. Everyone is in the same database, the group access is controlled by xtacacsd depending on the users primary Unix group on the main server. > > combined with ... > > > > - provide 3 levels of service/access: > > 1) limited exec shell/connect access to our main server for > > telnet/terminal access only. > > 2) SLIP/PPP access [note 1] > > 3) Authenticated "enable" access for router admins [note 2]. > > > > Note 1: for historical reasons, all users must currently login to > > the NAS, then type 'ppp default' to start PPP (likewise for anyone > > still using SLIP). We need to preserve this behaviour with Radius > > in order not to upset the users :-) So automatic startup of PPP > > is out of the question initially. > > > > In this case the users will log in to the NAS which will send a Service-Type > of Login-User in the access request. You will need to return an access accept > with the same Service-Type = Login-User. OK. How does this differ from Service-Type = NAS-Prompt-User? It seems that NAS-Prompt-User might be better from my limited reading of the RFC. > > Note 2: the current XTACACS functionality requires the router admin > > logs in to the NAS with their normal username/password, then types > > 'enable', when they are prompted for their username/password again; > > if possible I would like to preserve this behaviour with Radius. > > (I have experimented with returning Service-Type = Administrative-User > > but this immediately gives me full enable privileges, which isn't > > what I want) > > This is undoubtedly a NAS configuration issue. Can anyone else help me out here? Thanks for the help, Jeremy -- Jeremy Bishop [EMAIL PROTECTED] Australian Unix User Group (AUUG) Canberra Chapter === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
