Ooh! I'll try the LDAP-Group. wrt the Juniper-Local-User-Name VSA: Once authenticated against LDAP the user is mapped to the NAS device where there is a username called tier3 (or whatever you called it. Could be superduck). That username is matched against a class which defines a specific set of available commands. The default classes on a juniper router and switch (out of the box) are tier1 (read-only), tier2 (show and some configure commands) and tier3 (or superuser). The audits on both the NAS and in the radius radacct log show the User-Name value as the LDAP uid. When a user types a command such as 'edit' the NAS returns a Juniper-Interactive-Command value = 'edit'. In this way we have a full record of every command each user types on any Juniper device in our accounting logs. Doing this provides very granular control over what users have what permisisons and provides a mechanism for tracking, troubleshooting and accountability.
Thanks Alan, N On Thu, Jul 29, 2010 at 11:35 AM, Alan DeKok <al...@deployingradius.com>wrote: > Natr Brazell wrote: > > I am looking for information on grouping users into profiles/groups. > > I've searched around the FAQ's and docs but not finding a clear > > picture. I've found how to associate a user with a group of NAS's. > > See "man rlm_passwd" It can be used to create arbitrary groups, > including groups of users. > > > Here's the scenario. There is a specfic VSA from Juniper called > > Juniper-Local-User-Name. This gets mapped to a locally defined profile > > on the NAS. In the users file I have the following: > > > > bob.smith Juniper-Local-User-Name = "tier3", > > What does that do? > > > So to the point, rather than defining each user with the same parameters > > every time, can I create a group, for instance TIER3, and associate > > User-Name's above to the group. And if so how or point me to some > > specific examples. > > > > I am using LDAP also so if there is an LDAP solution same question. > Howto? > > Put the users into an LDAP group, and use LDAP-Group checking: > > DEFAULT LDAP-Group == "tier2" > Juniper-Deny-Commands "(show system alarms)|(show system > software)" > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html