Hello -
I generally find it easiest to use Identifiers in the Client clauses with
corresponding Handlers instead of Realm(s).
Something like this:
…..
<Client 1.1.1.1>
Identifier Infinera
…..
</Client>
<Client 2.2.2.2>
Identifier Infinera
…..
</Client>
<Client 3.3.3.3>
Identifier Infinera
…..
</Client>
…..
<ServerTACACSPLUS>
…..
AddToRequest NAS-Identifier=TACACS
</ServerTACACSPLUS>
# Deal with Infinera devices
<Handler Client-Identifier = Infinera>
…..
</Handler>
# Deal with TACACS
<Handler NAS-Identifier = TACACS>
…..
</Handler>
…..
regards
Hugh
On 5 Dec 2013, at 14:33, [email protected] wrote:
> Hi
>
> I have been tasked with getting our new Infinera infrastructure to
> authenticate against our radiator servers.
>
> The catch here is that our current configuration is TACACS+ for our
> Cisco equipment and the Infinera kit only supports Radius.
>
> We wanted to use the same database (example below) so that our
> engineers would have the same credentials and access levels across
> both environments.
>
> | test | {SSHA}**** | tacacsgroup = admin |
> | test2 | {SSHA}**** | tacacsgroup = readonly |
>
> I have a working solution but was wondering if there was a more
> elegant way keeping in mind that I probably can't touch the database.
>
> <Realm DEFAULT>
> AuthByPolicy ContinueUntilAccept
>
> <AuthBy SQL>
> Identifier tacacsauth
> DBSource dbi:mysql:tacacs
> DBUsername radius
> DBAuth *********
>
> NoDefault
> NoDefaultIfFound
> IgnoreAccounting
> FailureBackoffTime 10
>
> AuthSelect select password, checkattr, replyattr \
> from tacacsUser \
> where username=%0 \
> and replyattr rlike "admin$"
> AuthColumnDef 0, Encrypted-Password, check
>
> AddToReply Infinera-User-Priv-SA = SA-PRIVILEGED,\
> Infinera-User-Priv-NE = NE-PRIVILEGED,\
> Infinera-User-Priv-NA = NA-PRIVILEGED,\
> Infinera-User-Priv-PR = PR-PRIVILEGED,\
> Infinera-User-Priv-TT = TT-PRIVILEGED,\
> Infinera-User-AdminDomain = "FX,LAB",\
> Infinera-User-Max-Concurrent-Session =2,\
> Infinera-User-Allowed-Timezone-Config = TIMEZONE-CONFIG-ALLOW,\
> Infinera-User-TimeZone = "IST",\
> Service-Type = Framed-User,\
> Framed-Protocol = PPP,\
> Framed-IP-Netmask = 255.255.255.255,\
> Framed-Routing = None,\
> Framed-MTU = 1500,\
> Framed-Compression = Van-Jacobson-TCP-IP
> </AuthBy>
>
> <AuthBy SQL>
> Identifier tacacsauth
> DBSource dbi:mysql:tacacs
> DBUsername radius
> DBAuth iepu0oeC
>
> NoDefault
> NoDefaultIfFound
> IgnoreAccounting
> FailureBackoffTime 10
>
> AuthSelect select password, checkattr, replyattr \
> from tacacsUser \
> where username=%0 \
> and replyattr rlike "readonly$"
> AuthColumnDef 0, Encrypted-Password, check
>
> AddToReply Infinera-User-Priv-SA = SA-NONPRIVILEGED,\
> Infinera-User-Priv-NE = NE-NONPRIVILEGED,\
> Infinera-User-Priv-NA = NA-NONPRIVILEGED,\
> Infinera-User-Priv-PR = PR-NONPRIVILEGED,\
> Infinera-User-Priv-TT = TT-NONPRIVILEGED,\
> Infinera-User-Priv-MA = MA-PRIVILEGED,\
> Infinera-User-AdminDomain = "FX,LAB",\
> Infinera-User-Max-Concurrent-Session =2,\
> Infinera-User-Allowed-Timezone-Config = TIMEZONE-CONFIG-ALLOW,\
> Infinera-User-TimeZone = "IST",\
> Service-Type = Framed-User,\
> Framed-Protocol = PPP,\
> Framed-IP-Netmask = 255.255.255.255,\
> Framed-Routing = None,\
> Framed-MTU = 1500,\
> Framed-Compression = Van-Jacobson-TCP-IP
> </AuthBy>
> </Realm>
>
> Any ideas would be appreciated.
>
> Regards
> Derick
> _______________________________________________
> radiator mailing list
> [email protected]
> http://www.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
[email protected]
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc.
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
