Authenticating many devices using one attribute

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Fri May 25 15:58:45 CEST 2007


Hi,

> We're hoping to begin using radius to authenticate logins to our Cisco
> routers and
> Cisco switches.  Currently, we're going to start with a group of core
> routers, but
> would like to make all of our switches authenticate to radius.  Being the
> networking
> group for the University, our switches are located on many different
> networks all over
> campus, and we have ~900.
> 
> We currently use our radius server to authenticate other services such as
> modems and
> the VPN.  I'm looking for a radius configuration that's as compact as
> possible;
> obviously, when dealing with 900+ devices, using individual ips isn't ideal.

a few ways.

i'd assume the switches have static addresses and are on similar subnets...
in which case you can use in your clients.conf file such identities...

client 192.168.10.0/23{
	blah
	blah
}

you could also put them into SQL (eg NAS table) either each or per subnet
id. you could then use this table to assign the reply attributes
or put the switch details into the SQL group-reply table. for compact
config you could then use either the SQL to check user and NAS-IP-Address
or PERL/PHP to do similar. either way, the config will grow slightly
and you may need to change the logic....after all, those people who are
valid to use modem and VPN are probably not all valid to just log into
switches!

alan 



More information about the Freeradius-Users mailing list