Radius very RFS7000's users authentication question

// Expert user has replied.
J Juan-Antonio Martinez 3 years 6 months ago
4 4 0

If I set RFS7000's users authentication from "local" to "radius", typed users (both in CLI and GUI)  always log with "monitor" role.  I checked on Syslog, debug level. I need to authenticate users as SuperUser's role,  Network's role, whatsoever. Users have a given role on RFS7000, and this must be set on the auth system (Radius+LDAP). How can I make Radius "tell" RFS7000 the role a given user must have? Would this be with LDAP (so I need to auth with LDAP/AD) Group attributes or so?

Please Register or Login to post a reply

4 Replies

R Robert Caporino

You have to define the correct attributes within the radius server for that particular user or group. I attached a document that provides and explains the use of the attributes.

S Steve Zimmerman

Try this doc and sample VSA on setting up ACS for RFS role based authentication

J Juan-Antonio Martinez

Thanks to you all! It worked. I am using FreeRadius, I installed dictionary.symbol, I added this to users.conf: admin2 User-Password == "*********"  Symbol-Admin-Role = SuperUser,  Symbol-Login-Source = All And then restarted the service. The thing is that beaviour is not exactly as expected (as said on documents). Primary is set to radius, secondary to local. Radius service is up and running (above's admin2 user logs as superuser, and radius.log shows the request). If I try and log as standard local admin user, I expected to be kicked away (since radius would unauth this unknown user). Yet, I actually logged in as superuser (just as if radius was off). But, as seen on radius.log: Mon Jul 20 10:53:29 2009 : Auth: Login incorrect: [admin/superuser] (from client private-network-30 port 1812) And on syslog from RFS7000: Jul 20 10:42:54 192.168.30.56 Jul 20 10:43:54 RFS7K-EmuCorreos1 %USER-3-ERR: WIOS_SNMP[1098]: login timeout = 39 Jul 20 10:53:38 192.168.30.56 Jul 20 10:54:39 RFS7K-EmuCorreos1 %IMI-5-AUTHNOTIFY: Radius server secret not configured or server not reachable. Hence trying next auth method Jul 20 10:53:38 192.168.30.56 Jul 20 10:54:39 RFS7K-EmuCorreos1 %IMI-5-USERAUTHSUCCESS: User 'admin' logged in with role of ' superuser' from auth source 'local' It seems as if RFS7000 does not get response from Radius on time (I have set 3 retries with 3 seconds) and then tries "local" method. Maybe it's a problem with FreeRadius. Anyway, this was just to let you know there seems to be a conflict . I am not raising any case, since this behaviour is OK for me. Thanks again!

K Kevin Marshall

This can be achieved by using the Symbol-Admin-Role vendor specific attribute which can be forwarded in the Access-Accept to the RF Switch from the RADIUS server. Upon succesful authentication the VSA will be forwarded to the RF Switch which will provide the appropriate permissions to the user.

Attribute Name

Vendor ID

Attribute Number

Attribute Format

Symbol-Admin-Role

388

1

Integer

Integer Value

Associated Roles

Description

1

Monitor

Assigned to personnel requiring read-only access to an RF Switch.

2

Help Desk Manager

Assigned to personnel responsible for troubleshooting and debugging problems. The Help Desk Manager role provides access to troubleshooting utilities, execution of service commands, logs and can reboot the switch.

4

Network Administrator

Assigned to personnel responsible for configuration of wired and wireless parameters such as IP configuration, VLANs, Firewall, WLANs, Radios, IDS and hotspot.

8

System Administrator

Assigned to personnel responsible for configuring general switch settings such as NTP, boot parameters, licenses, images, auto install, clustering and access control.

16

Web User Administrator

Assigned to non skilled personnel responsible for adding guest user accounts for Hotspot authentication.

32768

Super User

Assigned to personnel requiring full administrative privileges.

I am working on a RADIUS guide documents all our supported VSAs as well as the supported standard attributes. I hope to have this document completed within the next week. If you require RADIUS dictionary files I have created new dictionaries for various popular RADIUS servers which are posted here @ http://motopedia.mot.com/wiki/RADIUS_Dictionaries. If you have any questions please feel free to contact me directly. Regards, Kevin

CONTACT
Can’t find what you’re looking for?