Default Authentication
Alan DeKok
aland at deployingradius.com
Wed May 2 06:57:16 CEST 2007
Norman Zhang wrote:
> I have the following setup for users
>
> DEFAULT Auth-Type = System
> Fall-Through = Yes,
> cisco-avpair = "shell:priv-lvl=1",
> Service-Type = NAS-Prompt-User
>
> DEFAULT Group == router-ro
> cisco-avpair := "shell:priv-lvl=7"
>
> DEFAULT Group == router-rw
> cisco-avpair := "shell:priv-lvl=15"
>
> However, system users not in group router-ro or router-rw are still able
> to login with privilege level = 1.
Because you configured the server to permit that. Please read "man
users" to see how the "users" file works.
> Is there a way to force only group
> router-ro and router-rw can login?
Switch the entries around:
DEFAULT Group == router-ro
Fall-Through = Yes,
cisco-avpair := "shell:priv-lvl=7"
DEFAULT Group == router-rw
Fall-Through = Yes,
cisco-avpair := "shell:priv-lvl=15"
DEFAULT Auth-Type = System
Service-Type = NAS-Prompt-User
And do NOT just blindly try it and see if it works. Spend some time
understanding it first.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
More information about the Freeradius-Users
mailing list