UNCLASSIFIED > -----Original Message----- > From: > [EMAIL PROTECTED] eradius.org [mailto:freeradius-users-> [EMAIL PROTECTED] On > Behalf Of Mario Carassale > Sent: Saturday, 19 April 2008 00:49 > To: freeradius-users@lists.freeradius.org > Subject: Freeradius/Netscreen help > > Hi All > > i am new to this list, so please understand my funny question :-) > > I have freeradius running fine and i want to authenticate a netscreen > firewall against it. My question is, how can i get user privileges > from the radius when a user logs into the firewall? > > If a set on the firewall to get get privilege from the RADIUS server, > the login fails, i suppose this is due to not admin provileges. > > Thank you for all your help. > > Mario >
There are a couple of things you need for netscreens. 1. The netscreen dictionary. You should find one in the nescreen doco, but failing that here is the one I use: ------------Start---------------- # -*- text -*- # # From: # http://www.netscreen.com/support/downloads/4.0_configuring_screenOS_for_ NTdomain_v11.pdf # VENDOR Netscreen 3224 BEGIN-VENDOR Netscreen ATTRIBUTE NS-Admin-Privilege 1 integer ATTRIBUTE NS-VSYS-Name 2 string ATTRIBUTE NS-User-Group 3 string ATTRIBUTE NS-Primary-DNS 4 ipaddr ATTRIBUTE NS-Secondary-DNS 5 ipaddr ATTRIBUTE NS-Primary-WINS 6 ipaddr ATTRIBUTE NS-Secondary-WINS 7 ipaddr ATTRIBUTE NS-NSM-User-Domain-Name 220 string ATTRIBUTE NS-NSM-User-Role-Mapping 221 string # # Values VSYS-Admin and Read-Only-VSYS-Admin require a NS-VSYS-Name # attribute in the response packet. # VALUE NS-Admin-Privilege Root-Admin 1 VALUE NS-Admin-Privilege All-VSYS-Root-Admin 2 VALUE NS-Admin-Privilege VSYS-Admin 3 VALUE NS-Admin-Privilege Read-Only-Admin 4 VALUE NS-Admin-Privilege Read-Only-VSYS-Admin 5 END-VENDOR Netscreen -----------Finish------- Put the text into dictionary.netscreen and add a line $INCLUDE dictionary.netscreen in share/freeradius/dictionary 2. you need to return some attributes depending on the access level. In raddb/users: DEFAULT Ldap-Group == `%{Huntgroup-Name}_RWA` NS-Admin-Privilege := Root-Admin, NS-NSM-User-Domain-Name = global, NS-NSM-User-Role-Mapping = "global:Domain Administrator" DEFAULT Ldap-Group == `%{Huntgroup-Name}_RO` NS-Admin-Privilege := Read-Only-Admin, NS-NSM-User-Domain-Name = global, NS-NSM-User-Role-Mapping = "global:Read-Only Domain Administrator" DEFAULT Ldap-Group == `%{Huntgroup-Name}_RDA` NS-Admin-Privilege := Root-Admin, NS-NSM-User-Domain-Name = global, NS-NSM-User-Role-Mapping = "global:Restricted Device Administrator" Obviously your check criteria will need to be adjusted toy your requirements, but the return attributes should get you started. You can set up all kinds of domains and classes of users in the netscreen, and match them to users as above. 3. Ensure that the password length is sufficient. There is a defined minimum length in the netscreen Software. I think it may be 9 chars but check with your doco. Hope this helps, Frank Ranner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html