UNCLASSIFIED
-----Original Message----- From: freeradius-users-bounces+frank.ranner=defence.gov.au@lists.fre eradius.org [mailto:freeradius-users-> bounces+frank.ranner=defence.gov.au@lists.freeradius.org] On Behalf Of Ivan . Sent: Monday, 11 August 2008 13:58 To: FreeRadius users mailing list Subject: Re: Juniper and Nortel user access [SEC=UNCLASSIFIED]
Hi Frank
Another question if thats cool?
how do you manage user access, as from what I can see the passwords are in clear text in the conf file? And as such the freeradius admin who adds the users will also add the passwords, or am I missing something?
I am coming from a Cisco ACS background.
Having users and password in the users file is generally only used for testing. In production, the users file is mainly used to test group memberships, both user and client, and assign attributes based on those memberships. The actual authentication is done using a password file, ldap directory or SQL queries. Which of these you use is up to you. In my deployment, I use an openldap server, which holds Unix, Netview, dokuwiki and radius Users. Radius users have the radiusprofile objectclass which allows me to specify the radiusGroupName attribute, which specifies what devices the user can access, and what access level. For example a user may have in LDAP: radiusGroupName: passport_service radiusGroupName: juniper_RO In the raddb/users file a rule may be: DEFAULT Huntgroup-Name == juniper, Ldap-Group == juniper_RO Service-Type := NAS-Prompt-User This ties a group of devices to a group of users. In freeradius, a device can belong to only one huntgroup, whereas users can be in many groups. In any case, to address your initial concern, using ldap or sql allows you to use whatever machanism you like for account maintenance, completely independent of the radius server and it's requirements. You have a bit of a learning curve ahead of you, but it is worth it. Use the -X switch on the server to see what it is doing, and make small changes each time so you know where to look when you break it. Regards, Frank Ranner