RE: Juniper and Nortel user access [SEC=UNCLASSIFIED]
UNCLASSIFIED > -Original Message- > From: > [EMAIL PROTECTED] eradius.org [mailto:freeradius-users-> [EMAIL PROTECTED] On > Behalf Of Ivan . > Sent: Monday, 11 August 2008 13:58 > To: FreeRadius users mailing list > Subject: Re: Juniper and Nortel user access [SEC=UNCLASSIFIED] > > Hi Frank > > Another question if thats cool? > > how do you manage user access, as from what I can see the passwords > are in clear text in the conf file? And as such the freeradius admin > who adds the users will also add the passwords, or am I missing > something? > > I am coming from a Cisco ACS background. > Having users and password in the users file is generally only used for testing. In production, the users file is mainly used to test group memberships, both user and client, and assign attributes based on those memberships. The actual authentication is done using a password file, ldap directory or SQL queries. Which of these you use is up to you. In my deployment, I use an openldap server, which holds Unix, Netview, dokuwiki and radius Users. Radius users have the radiusprofile objectclass which allows me to specify the radiusGroupName attribute, which specifies what devices the user can access, and what access level. For example a user may have in LDAP: radiusGroupName: passport_service radiusGroupName: juniper_RO In the raddb/users file a rule may be: DEFAULT Huntgroup-Name == juniper, Ldap-Group == juniper_RO Service-Type := NAS-Prompt-User This ties a group of devices to a group of users. In freeradius, a device can belong to only one huntgroup, whereas users can be in many groups. In any case, to address your initial concern, using ldap or sql allows you to use whatever machanism you like for account maintenance, completely independent of the radius server and it's requirements. You have a bit of a learning curve ahead of you, but it is worth it. Use the -X switch on the server to see what it is doing, and make small changes each time so you know where to look when you break it. Regards, Frank Ranner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Juniper and Nortel user access [SEC=UNCLASSIFIED]
Hi Frank Another question if thats cool? how do you manage user access, as from what I can see the passwords are in clear text in the conf file? And as such the freeradius admin who adds the users will also add the passwords, or am I missing something? I am coming from a Cisco ACS background. cheers Ivan On Mon, Aug 11, 2008 at 1:28 PM, Ranner, Frank MR <[EMAIL PROTECTED]> wrote: > UNCLASSIFIED > > > >> -Original Message- >> From: >> [EMAIL PROTECTED] > eradius.org [mailto:freeradius-users-> > [EMAIL PROTECTED] On >> Behalf Of Ivan . >> Sent: Monday, 11 August 2008 10:18 >> To: freeradius-users@lists.freeradius.org >> Subject: Juniper and Nortel user access >> >> Hi >> >> I have a user setup in the /etc/freeradius/users file which can access >> Juniper routers, but I would like the same user to be able to access >> Nortel switches, but when I try and combine the user attributes >> authentication fails. >> >> This conf works for both devices:- >> >> test Auth-type:=Local, User-Password := "test" >> Juniper-Local-User-Name ="DEV" >> >> test2 Cleartext-Password := "test" >> Service-Type = Administrative-User >> >> When I try and combine auth fails for the Nortels. >> >> test Auth-type:=Local, User-Password := "test" >> Juniper-Local-User-Name ="DEV" >> Service-Type = Administrative-User >> > > You need a comma after the reply attribute: > > test Auth-type:=Local, User-Password := "test" > Juniper-Local-User-Name ="DEV", > Service-Type = Administrative-User > > > Regards, > Frank Ranner > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Juniper and Nortel user access [SEC=UNCLASSIFIED]
awesome thanks! that works cheers Ivan On Mon, Aug 11, 2008 at 1:28 PM, Ranner, Frank MR <[EMAIL PROTECTED]> wrote: > UNCLASSIFIED > > > >> -Original Message- >> From: >> [EMAIL PROTECTED] > eradius.org [mailto:freeradius-users-> > [EMAIL PROTECTED] On >> Behalf Of Ivan . >> Sent: Monday, 11 August 2008 10:18 >> To: freeradius-users@lists.freeradius.org >> Subject: Juniper and Nortel user access >> >> Hi >> >> I have a user setup in the /etc/freeradius/users file which can access >> Juniper routers, but I would like the same user to be able to access >> Nortel switches, but when I try and combine the user attributes >> authentication fails. >> >> This conf works for both devices:- >> >> test Auth-type:=Local, User-Password := "test" >> Juniper-Local-User-Name ="DEV" >> >> test2 Cleartext-Password := "test" >> Service-Type = Administrative-User >> >> When I try and combine auth fails for the Nortels. >> >> test Auth-type:=Local, User-Password := "test" >> Juniper-Local-User-Name ="DEV" >> Service-Type = Administrative-User >> > > You need a comma after the reply attribute: > > test Auth-type:=Local, User-Password := "test" > Juniper-Local-User-Name ="DEV", > Service-Type = Administrative-User > > > Regards, > Frank Ranner > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Juniper and Nortel user access [SEC=UNCLASSIFIED]
UNCLASSIFIED > -Original Message- > From: > [EMAIL PROTECTED] eradius.org [mailto:freeradius-users-> [EMAIL PROTECTED] On > Behalf Of Ivan . > Sent: Monday, 11 August 2008 10:18 > To: freeradius-users@lists.freeradius.org > Subject: Juniper and Nortel user access > > Hi > > I have a user setup in the /etc/freeradius/users file which can access > Juniper routers, but I would like the same user to be able to access > Nortel switches, but when I try and combine the user attributes > authentication fails. > > This conf works for both devices:- > > test Auth-type:=Local, User-Password := "test" > Juniper-Local-User-Name ="DEV" > > test2 Cleartext-Password := "test" > Service-Type = Administrative-User > > When I try and combine auth fails for the Nortels. > > test Auth-type:=Local, User-Password := "test" > Juniper-Local-User-Name ="DEV" > Service-Type = Administrative-User > You need a comma after the reply attribute: test Auth-type:=Local, User-Password := "test" Juniper-Local-User-Name ="DEV", Service-Type = Administrative-User Regards, Frank Ranner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html