Hi, thank you toa ll for your answers. One of the problem i have with Netscreen is that the user root does not get full privileges if authenticated using RADIUS.
Also, a silly question, sorry but i am new to FREERADIUS. Once the dictionary file is in teh right place (/usr/share/freeradius/) what do i need to do in order to gtet the attributes from being checked. I ma using the local /etc/passwd file for user authentication, but then how do i specify what privilege to give to each users? I hope my question is clear. Thank you again. mario Ranner, Frank MR wrote: > > UNCLASSIFIED > >> -----Original Message----- >> From: >> [EMAIL PROTECTED] > eradius.org [mailto:freeradius-users-> > [EMAIL PROTECTED] On >> Behalf Of Mario Carassale >> Sent: Saturday, 19 April 2008 00:49 >> To: freeradius-users@lists.freeradius.org >> Subject: Freeradius/Netscreen help >> >> Hi All >> >> i am new to this list, so please understand my funny question :-) >> >> I have freeradius running fine and i want to authenticate a netscreen >> firewall against it. My question is, how can i get user privileges >> from the radius when a user logs into the firewall? >> >> If a set on the firewall to get get privilege from the RADIUS server, >> the login fails, i suppose this is due to not admin provileges. >> >> Thank you for all your help. >> >> Mario >> > > There are a couple of things you need for netscreens. > > 1. The netscreen dictionary. You should find one in the nescreen doco, > but failing that here is the one I use: > ------------Start---------------- > # -*- text -*- > # > # From: > # > http://www.netscreen.com/support/downloads/4.0_configuring_screenOS_for_ > NTdomain_v11.pdf > # > > VENDOR Netscreen 3224 > > BEGIN-VENDOR Netscreen > > ATTRIBUTE NS-Admin-Privilege 1 integer > ATTRIBUTE NS-VSYS-Name 2 string > ATTRIBUTE NS-User-Group 3 string > ATTRIBUTE NS-Primary-DNS 4 ipaddr > ATTRIBUTE NS-Secondary-DNS 5 ipaddr > ATTRIBUTE NS-Primary-WINS 6 ipaddr > ATTRIBUTE NS-Secondary-WINS 7 ipaddr > > ATTRIBUTE NS-NSM-User-Domain-Name 220 string > ATTRIBUTE NS-NSM-User-Role-Mapping 221 string > > # > # Values VSYS-Admin and Read-Only-VSYS-Admin require a NS-VSYS-Name # > attribute in the response packet. > # > VALUE NS-Admin-Privilege Root-Admin 1 > VALUE NS-Admin-Privilege All-VSYS-Root-Admin 2 > VALUE NS-Admin-Privilege VSYS-Admin 3 > VALUE NS-Admin-Privilege Read-Only-Admin 4 > VALUE NS-Admin-Privilege Read-Only-VSYS-Admin 5 > > END-VENDOR Netscreen > -----------Finish------- > Put the text into dictionary.netscreen and add a line $INCLUDE > dictionary.netscreen > > in share/freeradius/dictionary > > 2. you need to return some attributes depending on the access level. > In raddb/users: > > DEFAULT Ldap-Group == `%{Huntgroup-Name}_RWA` > NS-Admin-Privilege := Root-Admin, > NS-NSM-User-Domain-Name = global, > NS-NSM-User-Role-Mapping = "global:Domain Administrator" > > DEFAULT Ldap-Group == `%{Huntgroup-Name}_RO` > NS-Admin-Privilege := Read-Only-Admin, > NS-NSM-User-Domain-Name = global, > NS-NSM-User-Role-Mapping = "global:Read-Only Domain > Administrator" > > DEFAULT Ldap-Group == `%{Huntgroup-Name}_RDA` > NS-Admin-Privilege := Root-Admin, > NS-NSM-User-Domain-Name = global, > NS-NSM-User-Role-Mapping = "global:Restricted Device > Administrator" > > Obviously your check criteria will need to be adjusted toy your > requirements, but the return attributes should get you started. You can > set up all kinds of domains and classes of users in the netscreen, and > match them to users as above. > > 3. Ensure that the password length is sufficient. There is a defined > minimum length in the netscreen Software. I think it may be 9 chars but > check with your doco. > > Hope this helps, > > Frank Ranner > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- View this message in context: http://www.nabble.com/Freeradius-Netscreen-help-tp16769356p16823856.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html