[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Help-gnu-radius] Configuring Radius for Cisco equipment
|
From: |
Chris Partsenidis |
|
Subject: |
Re: [Help-gnu-radius] Configuring Radius for Cisco equipment |
|
Date: |
Tue, 7 Dec 2004 02:23:23 +0200 |
Thanks for the input Gerald,
I've spent quite a bit of time these past days and I'm quite happy with the
progress as I've managed to get the user authentication working, but with the
'users' file. The goal is to use MySQL, but before I touch that part, I need to
setup Radius the way the lab requires, get it working fully and then move it
all to a database structure.
What I am now trying to figure out is how to get reverse-Telnet happening. From
the Cisco documents I've downloaded, there is a sample script:
"
Username = "pat"
Password = "goaway"
User-Service-Type = Shell-User
cisco-avpair = "raccess:port#1=maple/tty2""
Cisco states that you must use the 'aaa authorization' command in order to
configure reverse telnet, which doesn't seem like a big problem to configure,
however, I am unable to find any guidelines for the Radius server. I've
searched the radius mailing list archives without success, so I'm hoping
someone out there has implemented it and can enlighten me :)
Thanks in advanced!
_______________________
Chris Partsenidis
Founder & Senior Editor
http://www.firewall.cx
_______________________
----- Original Message -----
From: Gerald
To: Chris Partsenidis
Cc: address@hidden
Sent: Thursday, December 02, 2004 5:52 PM
Subject: Re: [Help-gnu-radius] Configuring Radius for Cisco equipment
On Thu, 2 Dec 2004, Chris Partsenidis wrote:
> ----------------------------
> DEFAULT Auth-Type = System,
> Login-Time = "Al",
> Simultaneous-Use = 1
> Exec-Program-Wait = "/usr/local/sbin/telauth \
> %C{User-Name} \
> %C{Calling-Station-Id} \
> %C{NAS-IP-Address} \
> %C{NAS-Port-Id}"
> -----------------------------------
> and changed the Login-time to 'Al' and Exec-Program-Wait to
> /usr/local/sbin/radauth since 'telauth' dosen't exist.
Why use Exec-Program-Wait then? This example is for if you had an
external script that you wanted to interact with the authentication. For
testing purposes you can just use:
username User-Password = "IamApassword",
Simultaneous-Use = 1
Service-Type = Shell-User,
Framed-Protocol = PPP
(The FP = PPP is probably not necessary, but I know that example is
syntactically correct.)
Or if this radius server is elusively for authenticating the lab.
DEFAULT Auth-Type = System,
Login-Time = "Al",
Simultaneous-Use = 1
Service-Type = Shell-User
This would allow anyone who successfully authenticates off of the system
password file access to the privileged mode of any cisco router you
point to this server for authentication.
> radius-server host 192.168.0.15 auth-port 1645 acct-port 1646 key firewall
> radius-server retransmit 3
myrouter(config)#radius-server key ?
0 Specifies an UNENCRYPTED key will follow
7 Specifies HIDDEN key will follow
LINE The UNENCRYPTED (cleartext) shared key
Looks like you forgot to tell the router the key.
An Example of how we used attrib to just give our admins enable access
with the attrib mysql database:
+--------------+-------------------+-----------------+------+
| user_name | attr | value | op |
+--------------+-------------------+-----------------+------+
| username | Service-Type | Shell-User | NULL |
+--------------+-------------------+-----------------+------+
The router needs the key and Exec-Program-Wait isn't what you want I don't
think.
Related reading material:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/secur_c/scprt2/scradius.htm
http://www.gnu.org/software/radius/manual/html_mono/radius.html#SEC347
Gerald