Grouping similar users to profiles

Natr Brazell natrbrazell at
Thu Jul 29 18:00:39 CEST 2010

Ooh!  I'll try the LDAP-Group.  wrt the Juniper-Local-User-Name VSA:

Once authenticated against LDAP the user is mapped to the NAS device where
there is a username called tier3 (or whatever you called it.  Could be
superduck).  That username is matched against a class which defines a
specific set of available commands.  The default classes on a juniper router
and switch (out of the box) are tier1 (read-only), tier2 (show and some
configure commands) and tier3 (or superuser).  The audits on both the NAS
and in the radius radacct log show the User-Name value as the LDAP uid.
When a user types a command such as 'edit' the NAS returns a
Juniper-Interactive-Command value = 'edit'.  In this way we have a full
record of every command each user types on any Juniper device in our
accounting logs.  Doing this provides very granular control over what users
have what permisisons and provides a mechanism for tracking, troubleshooting
and accountability.

Thanks Alan,

On Thu, Jul 29, 2010 at 11:35 AM, Alan DeKok <aland at>wrote:

> Natr Brazell wrote:
> > I am looking for information on grouping users into profiles/groups.
> > I've searched around the FAQ's and docs but not finding a clear
> > picture.  I've found how to associate a user with a group of NAS's.
>  See "man rlm_passwd"  It can be used to create arbitrary groups,
> including groups of users.
> > Here's the scenario.  There is a specfic VSA from Juniper called
> > Juniper-Local-User-Name.  This gets mapped to a locally defined profile
> > on the NAS.  In the users file I have the following:
> >
> > bob.smith   Juniper-Local-User-Name = "tier3",
>  What does that do?
> > So to the point, rather than defining each user with the same parameters
> > every time, can I create a group, for instance TIER3, and associate
> > User-Name's above to the group.  And if so how or point me to some
> > specific examples.
> >
> > I am using LDAP also so if there is an LDAP solution same question.
>  Howto?
>  Put the users into an LDAP group, and use LDAP-Group checking:
> DEFAULT   LDAP-Group == "tier2"
>         Juniper-Deny-Commands "(show system alarms)|(show system
> software)"
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list