help-gnu-radius
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-gnu-radius] Configuring Radius for Cisco equipment

From: Gerald
Subject: Re: [Help-gnu-radius] Configuring Radius for Cisco equipment
Date: Thu, 2 Dec 2004 10:52:52 -0500 (EST) 
On Thu, 2 Dec 2004, Chris Partsenidis wrote:

> ----------------------------
> DEFAULT Auth-Type = System,
>                 Login-Time = "Al",
>                 Simultaneous-Use = 1
>         Exec-Program-Wait = "/usr/local/sbin/telauth \
>                              %C{User-Name} \
>                              %C{Calling-Station-Id} \
>                              %C{NAS-IP-Address} \
>                              %C{NAS-Port-Id}"
> -----------------------------------
> and changed the Login-time to 'Al' and Exec-Program-Wait to
> /usr/local/sbin/radauth since 'telauth' dosen't exist.

Why use Exec-Program-Wait then? This example is for if you had an
external script that you wanted to interact with the authentication. For
testing purposes you can just use:

username  User-Password = "IamApassword",
                Simultaneous-Use = 1
        Service-Type = Shell-User,
                Framed-Protocol = PPP

(The FP = PPP is probably not necessary, but I know that example is
syntactically correct.)

Or if this radius server is elusively for authenticating the lab.

DEFAULT Auth-Type = System,
                Login-Time = "Al",
                Simultaneous-Use = 1
                Service-Type = Shell-User

This would allow anyone who successfully authenticates off of the system
password file access to the privileged mode of any cisco router you
point to this server for authentication.

> radius-server host 192.168.0.15 auth-port 1645 acct-port 1646 key firewall
> radius-server retransmit 3

myrouter(config)#radius-server key ?
  0     Specifies an UNENCRYPTED key will follow
  7     Specifies HIDDEN key will follow
  LINE  The UNENCRYPTED (cleartext) shared key

Looks like you forgot to tell the router the key.

An Example of how we used attrib to just give our admins enable access
with the attrib mysql database:

+--------------+-------------------+-----------------+------+
| user_name    | attr              | value           | op   |
+--------------+-------------------+-----------------+------+
| username     | Service-Type      | Shell-User      | NULL |
+--------------+-------------------+-----------------+------+

The router needs the key and Exec-Program-Wait isn't what you want I don't 
think.

Related reading material:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/secur_c/scprt2/scradius.htm
http://www.gnu.org/software/radius/manual/html_mono/radius.html#SEC347

Gerald
reply via email to
[Prev in Thread] Current Thread [Next in Thread]