Freeradius/Netscreen help [SEC=UNCLASSIFIED]

mario2378 mario.carassale at sohonet.co.uk
Tue Apr 22 14:49:07 CEST 2008 

Hi,

thank you toa ll for your answers.
One of the problem i have with Netscreen is that the user root does not get
full privileges if authenticated using RADIUS.

Also, a silly question, sorry but i am new to FREERADIUS.

Once the dictionary file is in teh right place (/usr/share/freeradius/) what
do i need to do in order to gtet the attributes from being checked. I ma
using the local /etc/passwd file for user authentication, but then how do i
specify what privilege to give to each users? I hope my question is clear.

Thank you again.

mario


Ranner, Frank MR wrote:
> 
> UNCLASSIFIED
> 
>> -----Original Message-----
>> From: 
>> freeradius-users-bounces+frank.ranner=defence.gov.au at lists.fre
> eradius.org [mailto:freeradius-users->
> bounces+frank.ranner=defence.gov.au at lists.freeradius.org] On 
>> Behalf Of Mario Carassale
>> Sent: Saturday, 19 April 2008 00:49
>> To: freeradius-users at lists.freeradius.org
>> Subject: Freeradius/Netscreen help
>> 
>> Hi All
>> 
>> i am new to this list, so please understand my funny question :-)
>> 
>> I have freeradius running fine and i want to authenticate a netscreen 
>> firewall against it. My question is, how can i get user privileges 
>> from the radius when a user logs into the firewall?
>> 
>> If a set on the firewall to get get privilege from the RADIUS server, 
>> the login fails, i suppose this is due to not admin provileges.
>> 
>> Thank you for all your help.
>> 
>> Mario
>> 
> 
> There are a couple of things you need for netscreens.
> 
> 1.  The netscreen dictionary. You should find one in the nescreen doco,
> but failing that here is the one I use:
> ------------Start----------------
> # -*- text -*-
> #
> #       From:
> #
> http://www.netscreen.com/support/downloads/4.0_configuring_screenOS_for_
> NTdomain_v11.pdf
> #
> 
> VENDOR          Netscreen                       3224
> 
> BEGIN-VENDOR    Netscreen
> 
> ATTRIBUTE       NS-Admin-Privilege                      1       integer
> ATTRIBUTE       NS-VSYS-Name                            2       string
> ATTRIBUTE       NS-User-Group                           3       string
> ATTRIBUTE       NS-Primary-DNS                          4       ipaddr
> ATTRIBUTE       NS-Secondary-DNS                        5       ipaddr
> ATTRIBUTE       NS-Primary-WINS                         6       ipaddr
> ATTRIBUTE       NS-Secondary-WINS                       7       ipaddr
> 
> ATTRIBUTE       NS-NSM-User-Domain-Name                 220     string
> ATTRIBUTE       NS-NSM-User-Role-Mapping                221     string
> 
> #
> #  Values VSYS-Admin and Read-Only-VSYS-Admin require a NS-VSYS-Name #
> attribute in the response packet.
> #
> VALUE   NS-Admin-Privilege              Root-Admin              1
> VALUE   NS-Admin-Privilege              All-VSYS-Root-Admin     2
> VALUE   NS-Admin-Privilege              VSYS-Admin              3
> VALUE   NS-Admin-Privilege              Read-Only-Admin         4
> VALUE   NS-Admin-Privilege              Read-Only-VSYS-Admin    5
> 
> END-VENDOR      Netscreen
> -----------Finish-------
> Put the text into dictionary.netscreen and add a line $INCLUDE
> dictionary.netscreen
> 
> in share/freeradius/dictionary
> 
> 2. you need to return some attributes depending on the access level.
> In raddb/users:
> 
> DEFAULT Ldap-Group == `%{Huntgroup-Name}_RWA`
>         NS-Admin-Privilege := Root-Admin,
>         NS-NSM-User-Domain-Name = global,
>         NS-NSM-User-Role-Mapping = "global:Domain Administrator"
> 
> DEFAULT Ldap-Group == `%{Huntgroup-Name}_RO`
>         NS-Admin-Privilege := Read-Only-Admin,
>         NS-NSM-User-Domain-Name = global,
>         NS-NSM-User-Role-Mapping = "global:Read-Only Domain
> Administrator"
> 
> DEFAULT Ldap-Group == `%{Huntgroup-Name}_RDA`
>         NS-Admin-Privilege := Root-Admin,
>         NS-NSM-User-Domain-Name = global,
>         NS-NSM-User-Role-Mapping = "global:Restricted Device
> Administrator"
> 
> Obviously your check criteria will need to be adjusted toy your
> requirements, but the return attributes should get you started. You can
> set up all kinds of domains and classes of users in the netscreen, and
> match them to users as above.
> 
> 3.  Ensure that the password length is sufficient. There is a defined
> minimum length in the netscreen Software. I think it may be 9 chars but
> check with your doco.
> 
> Hope this helps,
> 
> Frank Ranner
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 

-- 
View this message in context: http://www.nabble.com/Freeradius-Netscreen-help-tp16769356p16823856.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

More information about the Freeradius-Users mailing list