RE: Two routers using the same Radius server?
Client ip adres in combination with huntgroups if you work with a mysql db and usergroups -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Mark Tunnell Verzonden: woensdag 14 december 2005 1:59 Aan: FreeRadius users mailing list Onderwerp: Re: Two routers using the same Radius server? Nice! That gets me almost all the way there. I'm able to authenticate using Auth-Type := Local. Now I just need to figure out how to authenticate that type of user name ([EMAIL PROTECTED]) using Auth-Type := System. Any ideas how to go about that? Thanks, Mark Lewis Bergman wrote: Mark Tunnell wrote: Suppose I have two Cisco routers both configured to authenticate to the same radius server. How do I allow a particular user access to one router but not the other? Is there a place in the clients.conf or users file to configure this? Oh yea, Alan gave me a trick with the hints file that adds a realm to a client if one is not present that could also help. DEFAULT User-Name !~ .*@, NAS-IP-Address == ip of client User-Name := [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two routers using the same Radius server?
Mark Tunnell wrote: Suppose I have two Cisco routers both configured to authenticate to the same radius server. How do I allow a particular user access to one router but not the other? Is there a place in the clients.conf or users file to configure this? realms might be one way in adition to the obvious different password for the same username. I am assuming that the usernames ae the same since you asked the question. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two routers using the same Radius server?
Mark Tunnell wrote: Suppose I have two Cisco routers both configured to authenticate to the same radius server. How do I allow a particular user access to one router but not the other? Is there a place in the clients.conf or users file to configure this? Oh yea, Alan gave me a trick with the hints file that adds a realm to a client if one is not present that could also help. DEFAULT User-Name !~ .*@, NAS-IP-Address == ip of client User-Name := [EMAIL PROTECTED] -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two routers using the same Radius server?
Thanks. I'm using the local Linux system passwords for authentication. I guess I'm wondering if there is any way to identify where the authentication request is coming from and approve or reject it based on that per user. The comments in the user file mention comm server name but none of the examples in that file or the man page mention how this would be used. Mark Lewis Bergman wrote: Mark Tunnell wrote: Suppose I have two Cisco routers both configured to authenticate to the same radius server. How do I allow a particular user access to one router but not the other? Is there a place in the clients.conf or users file to configure this? realms might be one way in adition to the obvious different password for the same username. I am assuming that the usernames ae the same since you asked the question. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two routers using the same Radius server?
Nice! That gets me almost all the way there. I'm able to authenticate using Auth-Type := Local. Now I just need to figure out how to authenticate that type of user name ([EMAIL PROTECTED]) using Auth-Type := System. Any ideas how to go about that? Thanks, Mark Lewis Bergman wrote: Mark Tunnell wrote: Suppose I have two Cisco routers both configured to authenticate to the same radius server. How do I allow a particular user access to one router but not the other? Is there a place in the clients.conf or users file to configure this? Oh yea, Alan gave me a trick with the hints file that adds a realm to a client if one is not present that could also help. DEFAULT User-Name !~ .*@, NAS-IP-Address == ip of client User-Name := [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two routers using the same Radius server?
Excellent! Thanks. Alan DeKok wrote: Client-IP-Address. and approve or reject it based on that per user. bob Client-IP-Address != 1.2.3.4, Auth-Type := Reject Reply-Message = go away, bob Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two routers using the same Radius server?
Mark Tunnell wrote: Nice! That gets me almost all the way there. I'm able to authenticate using Auth-Type := Local. Now I just need to figure out how to authenticate that type of user name ([EMAIL PROTECTED]) using Auth-Type := System. Any ideas how to go about that? Mark Tunnell wrote: Suppose I have two Cisco routers both configured to authenticate to the same radius server. How do I allow a particular user access to one router but not the other? Is there a place in the clients.conf or users file to configure this? Oh yea, Alan gave me a trick with the hints file that adds a realm to a client if one is not present that could also help. DEFAULT User-Name !~ .*@, NAS-IP-Address == ip of client User-Name := [EMAIL PROTECTED] Well, take a look at the docs and there is an explination of the variables you can play with. I don't know what adding an @in the username would do to a linux password file but my guess would be nothing spectacular. Running radiusd -X will give you what the cisco is passing and you can use that to decide what to check attribute to manipulate. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
