Use of Service type attribute
Phil Mayers
p.mayers at imperial.ac.uk
Wed Apr 26 11:04:50 CEST 2006
Chandra mohan wrote:
> Hi,
> I am developing a RADIUS client for our embedded
> product. I would like the Radius client implementation
> to support the association of privilege level with
> individual accounts, e.g. the account "normal_user"
> has a privilege that allows read-only access while
> account "admin_user" has a privilege that allows
> read-write access(can changes our system
> configuration).
> Is it possible to use "Service-Type" attribute for
> this purpose, with "Login" value for normal_user and
> "Administrative" for admin_user. Please clarify.
Yes it is possible, but it is wrong. RFC2865 states:
5.6. Service-Type
1 Login
2 Framed
3 Callback Login
4 Callback Framed
5 Outbound
6 Administrative
7 NAS Prompt
8 Authenticate Only
9 Callback NAS Prompt
10 Call Check
11 Callback Administrative
<snip>
Login The user should be connected to a host.
Administrative The user should be granted access to the
administrative interface to the NAS from which
privileged commands can be executed.
NAS Prompt The user should be provided a command prompt
on the NAS from which non-privileged commands
can be executed.
So you should actually use "NAS Prompt" for read-only and
"Administrative" for read-write. "Login" is something else entirely.
More information about the Freeradius-Users
mailing list