Grouping similar users to profiles
natrbrazell at gmail.com
Thu Jul 29 18:00:39 CEST 2010
Ooh! I'll try the LDAP-Group. wrt the Juniper-Local-User-Name VSA:
Once authenticated against LDAP the user is mapped to the NAS device where
there is a username called tier3 (or whatever you called it. Could be
superduck). That username is matched against a class which defines a
specific set of available commands. The default classes on a juniper router
and switch (out of the box) are tier1 (read-only), tier2 (show and some
configure commands) and tier3 (or superuser). The audits on both the NAS
and in the radius radacct log show the User-Name value as the LDAP uid.
When a user types a command such as 'edit' the NAS returns a
Juniper-Interactive-Command value = 'edit'. In this way we have a full
record of every command each user types on any Juniper device in our
accounting logs. Doing this provides very granular control over what users
have what permisisons and provides a mechanism for tracking, troubleshooting
On Thu, Jul 29, 2010 at 11:35 AM, Alan DeKok <aland at deployingradius.com>wrote:
> Natr Brazell wrote:
> > I am looking for information on grouping users into profiles/groups.
> > I've searched around the FAQ's and docs but not finding a clear
> > picture. I've found how to associate a user with a group of NAS's.
> See "man rlm_passwd" It can be used to create arbitrary groups,
> including groups of users.
> > Here's the scenario. There is a specfic VSA from Juniper called
> > Juniper-Local-User-Name. This gets mapped to a locally defined profile
> > on the NAS. In the users file I have the following:
> > bob.smith Juniper-Local-User-Name = "tier3",
> What does that do?
> > So to the point, rather than defining each user with the same parameters
> > every time, can I create a group, for instance TIER3, and associate
> > User-Name's above to the group. And if so how or point me to some
> > specific examples.
> > I am using LDAP also so if there is an LDAP solution same question.
> Put the users into an LDAP group, and use LDAP-Group checking:
> DEFAULT LDAP-Group == "tier2"
> Juniper-Deny-Commands "(show system alarms)|(show system
> Alan DeKok.
> List info/subscribe/unsubscribe? See
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Freeradius-Users