Juniper and Nortel user access [SEC=UNCLASSIFIED]

Ranner, Frank MR Frank.Ranner at defence.gov.au
Mon Aug 11 09:00:16 CEST 2008


UNCLASSIFIED

> -----Original Message-----
> From: 
> freeradius-users-bounces+frank.ranner=defence.gov.au at lists.fre
eradius.org [mailto:freeradius-users->
bounces+frank.ranner=defence.gov.au at lists.freeradius.org] On 
> Behalf Of Ivan .
> Sent: Monday, 11 August 2008 13:58
> To: FreeRadius users mailing list
> Subject: Re: Juniper and Nortel user access [SEC=UNCLASSIFIED]
> 
> Hi Frank
> 
> Another question if thats cool?
> 
> how do you manage user access, as from what I can see the passwords
> are in clear text in the conf file? And as such the freeradius admin
> who adds the users will also add the passwords, or am I missing
> something?
> 
> I am coming from a Cisco ACS background.
> 

Having users and password in the users file is generally only used for
testing. In production, 
the users file is mainly used to test group memberships, both user and
client, and assign attributes 
based on those memberships.

The actual authentication is done using a password file, ldap directory
or SQL queries. Which of these 
you use is up to you. In my deployment, I use an openldap server, which
holds Unix, Netview, dokuwiki and radius 
Users. Radius users have the radiusprofile objectclass which allows me
to specify the radiusGroupName 
attribute, which specifies what devices the user can access, and what
access level. For example a user may 
have in LDAP:

radiusGroupName: passport_service
radiusGroupName: juniper_RO

In the raddb/users file a rule may be:

DEFAULT Huntgroup-Name == juniper, Ldap-Group == juniper_RO
	Service-Type := NAS-Prompt-User

This ties a group of devices to a group of users. In freeradius, a
device can belong to only one huntgroup, whereas users 
can be in many groups.

In any case, to address your initial concern, using ldap or sql allows
you to use whatever machanism you like for account 
maintenance, completely independent of the radius server and it's
requirements.

You have a bit of a learning curve ahead of you, but it is worth it. Use
the -X switch on the server to see what it is doing, 
and make small changes each time so you know where to look when you
break it.

Regards,
Frank Ranner




More information about the Freeradius-Users mailing list