Mailing List Archive

Hi Rivo,

> I use as5350 nas and a radius server but need to give restricted
> access to guest users and can't give access to these users to change
> their passwords on the radius server, is it possible to have a local
> authentication for these users and radius for normal users or use two
> radius servers, one for normal users and another for guests?

Can you introduce a different DNIS for guests? If so you can ether use
RPM to assign a different template which references a local ppp
authentication/authorization method or use the "aaa dnis map
{authentication|authorization}" feature on your "regular" users' DNIS to
assign your "normal" AAA server group for this DNIS while configuring
"aaa authen ppp default local"/"aaa author network default local" to be
used by all other DNIS.

But maybe you can also prevent guest users from changing their password
on your Radius server?

oli

On Sat, 13 Mar 2004, Oliver Boehmer (oboehmer) wrote:

> > I use as5350 nas and a radius server but need to give restricted
> > access to guest users and can't give access to these users to change
> > their passwords on the radius server, is it possible to have a local
> > authentication for these users and radius for normal users or use two
> > radius servers, one for normal users and another for guests?
>
> Can you introduce a different DNIS for guests? If so you can ether use
> RPM to assign a different template which references a local ppp
> authentication/authorization method or use the "aaa dnis map
> {authentication|authorization}" feature on your "regular" users' DNIS to
> assign your "normal" AAA server group for this DNIS while configuring
> "aaa authen ppp default local"/"aaa author network default local" to be
> used by all other DNIS.
>
> But maybe you can also prevent guest users from changing their password
> on your Radius server?

how about just assigning an acl via cisco-avpairs to restrict the 'guest'
users to whichever access required ?

j.