Freeradius privilege separation
Alan DeKok
aland at deployingradius.com
Fri May 14 09:28:09 CEST 2010
Michał Dopierała wrote:
> It is possible in freeradius to have one user who has full privilege
> level to one equipment (one cisco router privilege lvl15), and limited
> privilege level to other equipment (other router with smaller privilege
> e.g. lvl10 which will be configured on router)?
Yes.
> How to separate it?
How are the requests different? Use that information to separate the
policies for the two routers.
> My current configuration of users:
>
> mdopierala Auth-Type := PAP, Crypt-Password = "passwrd"
DON'T set Auth-Type. Honestly. This should be written in huge
letters everywhere on all of the documentation.
> Service-Type = "Administrative-User",
> Cisco-AVPair="shell:priv-lvl=15",
> Brocade-Auth-Role ="Administrator"
And it doesn't contain any *conditional* checks for different clients.
You could do:
mdopierala Packet-Src-IP-Address == 192.168.1.1, Cleartext-Password := ...
...
i.e. check for NAS IP, and return different results based on that.
Alan DeKok.
More information about the Freeradius-Users
mailing list