[RADIATOR] Multiple levels of priveleges based on UNIX group membership?

Thu, 13 Feb 2020 11:13:12 -0800 

Is the following snippet radius.cfg and users file workable?

The goal is to have users authenticate with a unix account and then based on 
their unix group membership, assign different privilege levels to the switch 
CLI (cisco).


### radius.cfg

# LC Wired net devices
<Client 172.24.128.0/20>
    IdenticalClients fd9a:2c75:7d0c:1017::/64
    # CB area Wired net devices
    IdenticalClients 172.24.160.0/20
    IdenticalClients fd9a:2c75:7d0c:201a::/64
    # BSB area Wired net devices
    IdenticalClients 172.24.192.0/20
    IdenticalClients fd9a:2c75:7d0c:3020::/64
    # Oakdale (ITF) area Wired net devices
    IdenticalClients 172.24.224.0/20
    IdenticalClients fd9a:2c75:400c:3020::/64
    #
    Identifier EDGE_Switches
    Secret  SECRET
    DupInterval 0
</Client>

<AuthBy GROUP>
    Identifier local_thing_users_group

    AuthByPolicy ContinueWhileAccept

    # rewrite username to prepend lu_ (i.e., jcmuelle becomes lu_jcmuelle)
    RewriteUsername s/(.*)/lu_$1/

    # Authenticate user via UNIX account
    <AuthBy UNIX>
        AuthenProto PAP, Unknown
        Filename /etc/shadow
        GroupFileName /etc/group
        Nocache
    </AuthBy>

    # Authorize users by UNIX Group membership
    <AuthBy FILE>
        Filename %D/users
    </AuthBy>

</AuthBy>

# Handler for "EDGE_Switches" (testing)
<Handler Client-Identifier="EDGE_Switches">

    AuthByPolicy ContinueWhileReject
    AuthBy local_thing_users_group

    AcctLogFileName /var/log/neg/radius/radiator.acct
    ExcludeRegexFromPasswordLog .*
    AuthLog authlogger

</Handler>

### USERS FILE

# EDGE Network Switches (Admins)
DEFAULT Auth-Type = local_thing_users, Client-Identifier = EDGE_Switches, Group 
= nesstaff
   
Session-Timeout=0,cisco-avpair=shell:roles="network-admin",cisco-avpair=shell:priv-lvl=15

# EDGE Network Switches (Limited Access)
DEFAULT Auth-Type = local_thing_users, Client-Identifier = EDGE_Switches, Group 
= pistaff
   
Session-Timeout=0,cisco-avpair=shell:roles="pi-admin",cisco-avpair=shell:priv-lvl=7

--
Neil Johnson
Network Architect
The University of Iowa
319 384-0938
neil-john...@uiowa.edu<mailto:neil-john...@uiowa.edu>



_______________________________________________
radiator mailing list
radiator@lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator

Reply via email to