Okay,
So I am a newbie with just enough knowledge to know this should work, and have
spent a few hours reading all the different cool things
RADIUS does for me. However, I cant get it to do what we need, and I am sure
its lack of experience. I have read the various FAQ's and
help files, but I must still be missing something.
1. Problem:
We are using RADIUS to authenticate logins to routers. Not for PPP,
dialup, etc, but for command line authentication for network
engineers or admins. We are using more than one vendor, which means the
attributes sent back to the NAS device are different.
2. What works so far:
I have been able to create a basic users file and authenticate logins
for my differen vendor equipment. Logins work flawlessly,
but using the "freeradius -X" I notice the server is sending all attributes,
even if they arent for that vendor. This was expected, based
on how I set the thing up:
USER Auth-Type = System
Juniper-Local-User-Name = READ_ONLY,
Riverstone-User-Level = 15
3. What I did different to keep that from happening. I created a huntgroup
called BB that had a list of IP's for all the Junipers. So
when I logged in to one of those devices the first entry in the users file was
used. If I logged into a device not in the huntgroup list
the second entry in the user file was used. This works....but it is sloppy,
yes? :)
USER Huntgroup-Name == BB, Auth-Type = System
Juniper-Local-User-Name = READ_ONLY,
USER Auth-Type = System
Riverstone-User-Level = 15
3. So how am I really supposed to make this work? :) I have been told to use
realms, but everything I see makes it look like you have to
put @<something> in the username. Is this true? If so, that defeats the
purpose of one username.
PS - My first attempt to send this got blocked due to me sending it from the
wrong email address, sorry for the DUP if the original actually makes it past
moderation.
Thanks,
James
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
