Chandra mohan wrote:
Hi,
I am developing a RADIUS client for our embedded
product. I would like the Radius client implementation
to support the association of privilege level with
individual accounts, e.g. the account "normal_user"
has a privilege that allows read-only access while
account "admin_user" has a privilege that allows
read-write access(can changes our system
configuration).
Is it possible to use "Service-Type" attribute for
this purpose, with "Login" value for normal_user and
"Administrative" for admin_user. Please clarify.
Yes it is possible, but it is wrong. RFC2865 states:
5.6. Service-Type
1 Login
2 Framed
3 Callback Login
4 Callback Framed
5 Outbound
6 Administrative
7 NAS Prompt
8 Authenticate Only
9 Callback NAS Prompt
10 Call Check
11 Callback Administrative
<snip>
Login The user should be connected to a host.
Administrative The user should be granted access to the
administrative interface to the NAS from which
privileged commands can be executed.
NAS Prompt The user should be provided a command prompt
on the NAS from which non-privileged commands
can be executed.
So you should actually use "NAS Prompt" for read-only and
"Administrative" for read-write. "Login" is something else entirely.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
