Is the following snippet radius.cfg and users file workable? The goal is to have users authenticate with a unix account and then based on their unix group membership, assign different privilege levels to the switch CLI (cisco).
### radius.cfg # LC Wired net devices <Client 172.24.128.0/20> IdenticalClients fd9a:2c75:7d0c:1017::/64 # CB area Wired net devices IdenticalClients 172.24.160.0/20 IdenticalClients fd9a:2c75:7d0c:201a::/64 # BSB area Wired net devices IdenticalClients 172.24.192.0/20 IdenticalClients fd9a:2c75:7d0c:3020::/64 # Oakdale (ITF) area Wired net devices IdenticalClients 172.24.224.0/20 IdenticalClients fd9a:2c75:400c:3020::/64 # Identifier EDGE_Switches Secret SECRET DupInterval 0 </Client> <AuthBy GROUP> Identifier local_thing_users_group AuthByPolicy ContinueWhileAccept # rewrite username to prepend lu_ (i.e., jcmuelle becomes lu_jcmuelle) RewriteUsername s/(.*)/lu_$1/ # Authenticate user via UNIX account <AuthBy UNIX> AuthenProto PAP, Unknown Filename /etc/shadow GroupFileName /etc/group Nocache </AuthBy> # Authorize users by UNIX Group membership <AuthBy FILE> Filename %D/users </AuthBy> </AuthBy> # Handler for "EDGE_Switches" (testing) <Handler Client-Identifier="EDGE_Switches"> AuthByPolicy ContinueWhileReject AuthBy local_thing_users_group AcctLogFileName /var/log/neg/radius/radiator.acct ExcludeRegexFromPasswordLog .* AuthLog authlogger </Handler> ### USERS FILE # EDGE Network Switches (Admins) DEFAULT Auth-Type = local_thing_users, Client-Identifier = EDGE_Switches, Group = nesstaff Session-Timeout=0,cisco-avpair=shell:roles="network-admin",cisco-avpair=shell:priv-lvl=15 # EDGE Network Switches (Limited Access) DEFAULT Auth-Type = local_thing_users, Client-Identifier = EDGE_Switches, Group = pistaff Session-Timeout=0,cisco-avpair=shell:roles="pi-admin",cisco-avpair=shell:priv-lvl=7 -- Neil Johnson Network Architect The University of Iowa 319 384-0938 neil-john...@uiowa.edu<mailto:neil-john...@uiowa.edu>
_______________________________________________ radiator mailing list radiator@lists.open.com.au https://lists.open.com.au/mailman/listinfo/radiator