AW: AW: Radius Tunnel Attributes (Tunnel switching with CiscoRouter)
mike at ostw.de
mike at ostw.de
Fri Jun 17 13:13:08 CEST 2005
Thx for your quick answer!
I changed my hints file and now it works (matching on
prefix:dsl/adsl-location1/2) , but there is another (new) but :)
I think, it is right, that a user first needs to be authenticatet before the
user gets authorized and recieves his (tunnel) attributes? for my scenario i
need something like this:
all user with domain prefix
dsl/adsl-location1-username
dsl/adsl-location2-username
dsl/adsl-location3-username
.
.
.
and so on, sould be redirected (with use of tunnel-attributes) to another
router. on the radius-server, which commits these tunnel-attributes, these
users must be first authenticatet to recieve these tunnel-attributes, but, i
only want to forward them without authentification. all other users with a
domain prefix like
dsl/adsl-username
sould be authenticated and terminated locally and should not recieve any
tunnel-attributs (normal user entries in users file)
i tested something like this, and it works, but im not sure if this will
cause a security-hole, if a use DEFAULT Auth-Type = None for my
"tunnel-user" ,
-------------------------
my hints file
DEFAULT Prefix = "dsl/adsl-location1", Strip-User-Name = No
Hint = "tunnel1",
-------------------------
my users file
(user will be terminated locally and authenicated via radius server)
dsl/adsl-username1 Auth-Type = Local, Password = "test123"
Service-Type = Framed-User,
Cisco-AVPair = "ip:dns-servers=x.x.x.x x.x.x.x",
Framed-Protocol = PPP,
Acct-Interim-Interval = 600,
Framed-IP-Address = x.x.x.x,
Framed-IP-Netmask = 255.255.255.255
(user gets tunnel attributes)
DEFAULT Hint = "tunnel1"
Service-Type = Outbound-User,
Tunnel-Type:0 = L2TP,
Tunnel-Medium-Type:0 = IP,
Tunnel-Server-Endpoint:0 = x.x.x.x,
Tunnel-Password:0 = "test",
Tunnel-Assignment-Id:0 = "radius-switch",
Tunnel-Client-Auth-Id:0 = "to3620",
Tunnel-Server-Auth-Id:0 = "from7200",
Tunnel-Preference:0 = 1,
Fall-Through = Yes
DEFAULT Auth-Type = None
--------------------------
I tested to add
Auth-Type = None
in the hints file for the tunneld users, but this doesnt work
DEFAULT Prefix = "dsl/adsl-location1", Strip-User-Name = No
Hint = "tunnel1"
Auth-Type = None
also in the users file
DEFAULT Hint = "tunnel1"
Auth-Type = None
does not work, any solution or idea how i should configure my radius to
1. authenticate user which will be locally terminated (and authenticatet via
users file)
2. apply tunnel-attributes to users (matching on the prefix in the hint
file) without authentication
Thx & Greets
mike
In article <20050616104705.614C718CD73 at smtp.tal.de>,
<mike at ostw.de> wrote:
>Tunnel attributes are submittet correct to the cisco, tunnel creation
>works fine thx! BUT ;) ...
>... it only works per user. how do i have to configure my cistron
>radius that every user with the domain prefix:
>dsl/adsl-location1-
>
>will get the tunnel attributes ?
>
>
>and users with the prefix:
>dsl/adsl-location2-
>
>will get different tunnel / radius attributes ?
>
>? how / where do i have to configure the matching ? (users file ?
>realms ?)
>
>complete usernames are like dsl/adsl-location1-user
You can use the "hints" file for that. Something like:
# Hints file
DEFAULT Prefix = "dsl/adsl-location1-", Strip-User-Name = Yes
Hint = "location1"
DEFAULT Prefix = "dsl/adsl-location2-", Strip-User-Name = Yes
Hint = "location2"
# Users file
DEFAULT Hint = "location1"
Tunnel-Attr-1 = "bla",
Tunnel-Attr-2 = "bla",
Fall-Through = Yes
DEFAULT Hint = "location2"
Tunnel-Attr-1 = "foo",
Tunnel-Attr-2 = "foo",
Fall-Through = Yes
DEFAULT Auth-Type = system
.. depends on what you want to do, really. The above strips off the prefix,
sets tunnel attributes depending on the prefix, then authentication the
username without the prefix against /etc/passwd
Mike.
-
List info/subscribe/unsubscribe? See http://www.radius.cistron.nl/list/
More information about the Cistron-radius
mailing list