If I set RFS7000's users authentication from "local" to "radius", typed users (both in CLI and GUI) always log with "monitor" role. I checked on Syslog, debug level. I need to authenticate users as SuperUser's role, Network's role, whatsoever. Users have a given role on RFS7000, and this must be set on the auth system (Radius+LDAP). How can I make Radius "tell" RFS7000 the role a given user must have? Would this be with LDAP (so I need to auth with LDAP/AD) Group attributes or so?
Radius very RFS7000's users authentication question// Expert user has replied. |
4 Replies
You have to define the correct attributes within the radius server for that particular user or group. I attached a document that provides and explains the use of the attributes.
Try this doc and sample VSA on setting up ACS for RFS role based authentication
Thanks to you all! It worked. I am using FreeRadius, I installed dictionary.symbol, I added this to users.conf: admin2 User-Password == "*********" Symbol-Admin-Role = SuperUser, Symbol-Login-Source = All And then restarted the service. The thing is that beaviour is not exactly as expected (as said on documents). Primary is set to radius, secondary to local. Radius service is up and running (above's admin2 user logs as superuser, and radius.log shows the request). If I try and log as standard local admin user, I expected to be kicked away (since radius would unauth this unknown user). Yet, I actually logged in as superuser (just as if radius was off). But, as seen on radius.log: Mon Jul 20 10:53:29 2009 : Auth: Login incorrect: [admin/superuser] (from client private-network-30 port 1812) And on syslog from RFS7000: Jul 20 10:42:54 192.168.30.56 Jul 20 10:43:54 RFS7K-EmuCorreos1 %USER-3-ERR: WIOS_SNMP[1098]: login timeout = 39 Jul 20 10:53:38 192.168.30.56 Jul 20 10:54:39 RFS7K-EmuCorreos1 %IMI-5-AUTHNOTIFY: Radius server secret not configured or server not reachable. Hence trying next auth method Jul 20 10:53:38 192.168.30.56 Jul 20 10:54:39 RFS7K-EmuCorreos1 %IMI-5-USERAUTHSUCCESS: User 'admin' logged in with role of ' superuser' from auth source 'local' It seems as if RFS7000 does not get response from Radius on time (I have set 3 retries with 3 seconds) and then tries "local" method. Maybe it's a problem with FreeRadius. Anyway, this was just to let you know there seems to be a conflict . I am not raising any case, since this behaviour is OK for me. Thanks again!
This can be achieved by using the Symbol-Admin-Role vendor specific attribute which can be forwarded in the Access-Accept to the RF Switch from the RADIUS server. Upon succesful authentication the VSA will be forwarded to the RF Switch which will provide the appropriate permissions to the user.
Attribute Name
Vendor ID
Attribute Number
Attribute Format
Symbol-Admin-Role
388
1
Integer
Integer Value
Associated Roles
Description
1
Monitor
Assigned to personnel requiring read-only access to an RF Switch.
2
Help Desk Manager
Assigned to personnel responsible for troubleshooting and debugging problems. The Help Desk Manager role provides access to troubleshooting utilities, execution of service commands, logs and can reboot the switch.
4
Network Administrator
Assigned to personnel responsible for configuration of wired and wireless parameters such as IP configuration, VLANs, Firewall, WLANs, Radios, IDS and hotspot.
8
System Administrator
Assigned to personnel responsible for configuring general switch settings such as NTP, boot parameters, licenses, images, auto install, clustering and access control.
16
Web User Administrator
Assigned to non skilled personnel responsible for adding guest user accounts for Hotspot authentication.
32768
Super User
Assigned to personnel requiring full administrative privileges.
I am working on a RADIUS guide documents all our supported VSAs as well as the supported standard attributes. I hope to have this document completed within the next week. If you require RADIUS dictionary files I have created new dictionaries for various popular RADIUS servers which are posted here @ http://motopedia.mot.com/wiki/RADIUS_Dictionaries. If you have any questions please feel free to contact me directly. Regards, Kevin