Here's an example of what I do.
I want the ability to limit those individuals that are authenticated against
our
LDAP server. This allows us to maintain a list of users that are allowed to
dialin.
I arbitrarily choose the 'NAS-Port-Type' radius attribute that is sent to
Radiater
from our NAS. It's value will be the same each time....ASYNC.
I choose an unused attribute in the users LDAP entry, and changed it to
match the value
of 'NAS-Port-Type'. I do this with any user that wants to dial in.
My config file has the following line in it to handle the comparison:
AuthAttrDef telephonenumber,NAS-Port-Type,check
Here's a snip of the log messages when a user authenticates:
Fri Apr 14 20:31:34 2000: DEBUG: Handling with Radius::AuthLDAP
Fri Apr 14 20:31:34 2000: DEBUG: Connecting to HOST, port 389
Fri Apr 14 20:31:35 2000: DEBUG: LDAP got result for
uid=username,ou=People,o=Fox Chase Cancer Center,c=US
Fri Apr 14 20:31:35 2000: DEBUG: LDAP got userpassword: {crypt}password
Fri Apr 14 20:31:35 2000: DEBUG: LDAP got telephonenumber: Async
Fri Apr 14 20:31:35 2000: DEBUG: Radius::AuthLDAP looks for match with
username
Fri Apr 14 20:31:35 2000: DEBUG: Radius::AuthLDAP ACCEPT:
Fri Apr 14 20:31:35 2000: DEBUG: Access accepted for username
I suggest capturing (snif) the packets sent from your NAS to Radiater during
an authentication request.
This will allow you to note which radius attributes are being sent, and what
there values are.
Pick one that doesn't change, and use it.
I didn't have to make any changes to the dictionary file, and didn't have to
use any of the check or reply
items.
I'm not sure if this is what your attempting to achieve, but it works like a
charm for me and
was easy to implement.
Steve
-----Original Message-----
From: Dave Kitabjian [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 02, 2000 10:05 AM
To: '[EMAIL PROTECTED]'
Subject: (RADIATOR) LDAP: new "AuthAttrDef" attribute?
Regarding: http://www.open.com.au/radiator/ref.html#pgfId=369888
and the new AuthAttrDef attribute for LDAP...
This looks like a nice feature. However, to make AuthAttrDef entries as:
AuthAttrDef ldapattributename, radiusattributename, type
you would need to anticipate and list in your .cfg file every Reply item
(and Check item) that any of your users might need, right? That doesn't
seem to make sense. (Am I missing something?)
On the other hand, with CheckAttr and ReplyAttr you don't have to worry
about that; just list whatever you want in your LDAP db, and Radiator
will pick them up. But CheckAttr/ReplyAttr are being deprecated. So...
Can I accomplish the equivalent functionality by doing:
AuthAttrDef GENERIC, ???, check
AuthAttrDef GENERIC, ???, reply
What do I put for ??? Perhaps you could list an example using GENERIC in
the docs?
Thanks very much!
Dave
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
