Hi all,
I have a question: is it possible for RADIUS server to send an
information about user-class or at least permissions bits that
are set for a particular user back to Juniper? Because there are
only three Juniper VSAs defined (Juniper-Local-User-Name,
Juniper-Allow-Commands and Juniper-Deny-Commands), there are
only two solutions that came to my mind:
1) after I authenticate on a RADIUS (e.g as 'adam@juniper') it
returns another user name back to the router (e.g 'test') that
is locally configured and belongs to an appropriate class. That
works fine up to the moment of issuing a "request routing-engine
login other-routing-engine" command. The router lets me to the
other RE as user 'test' instead of 'adam@juniper'. But that
takes away the possibility to distinguish between the users
belonging to the same class on that RE. And I'm really anxious
to have that possibility so this ain't a good solution
2) to translate all the permissions bits (e.g configure,
control, interface-control etc) to the the regular expressions
and supply the result to RADIUS. All users have their own
Juniper-Allow-Commands and Juniper-Deny-Commands VSAs defined as
set of those regexps. But that's quite a nasty job to do...
Is there any solution that is not so complex?
Best Regards,
Adam
----------------------------------------------------
Czy ?wi?ty Walenty ma ju? Walentynkowe prezenty?
Nie??? Wst?p do nas!
http://klik.wp.pl/?adr=http%3A%2F%2Fzakupy.wp.pl%2Fwalentynki.html&sid=108
I have a question: is it possible for RADIUS server to send an
information about user-class or at least permissions bits that
are set for a particular user back to Juniper? Because there are
only three Juniper VSAs defined (Juniper-Local-User-Name,
Juniper-Allow-Commands and Juniper-Deny-Commands), there are
only two solutions that came to my mind:
1) after I authenticate on a RADIUS (e.g as 'adam@juniper') it
returns another user name back to the router (e.g 'test') that
is locally configured and belongs to an appropriate class. That
works fine up to the moment of issuing a "request routing-engine
login other-routing-engine" command. The router lets me to the
other RE as user 'test' instead of 'adam@juniper'. But that
takes away the possibility to distinguish between the users
belonging to the same class on that RE. And I'm really anxious
to have that possibility so this ain't a good solution
2) to translate all the permissions bits (e.g configure,
control, interface-control etc) to the the regular expressions
and supply the result to RADIUS. All users have their own
Juniper-Allow-Commands and Juniper-Deny-Commands VSAs defined as
set of those regexps. But that's quite a nasty job to do...
Is there any solution that is not so complex?
Best Regards,
Adam
----------------------------------------------------
Czy ?wi?ty Walenty ma ju? Walentynkowe prezenty?
Nie??? Wst?p do nas!
http://klik.wp.pl/?adr=http%3A%2F%2Fzakupy.wp.pl%2Fwalentynki.html&sid=108