(ASCEND) RADIUS & MAXen - access question (fwd)

To: ascend-users@bungi.com (Ascend Users)
Subject: (ASCEND) RADIUS & MAXen - access question (fwd)
From: MegaZone <megazone@megazone.org>
Date: Wed, 10 Jun 1998 07:55:55 -0700 (PDT)
Organization: WPI Discordian Society, Undocumented Cabal of the Accursed Saint Shiranto Joe
Sender: owner-ascend-users@max.bungi.com

Once upon a time Michael Curran shaped the electrons to say...
>We have a single Max4000 and are about to add 2 x Max2000s to our 
>network.  We use RADIUS for dialin authentication and have a very 
>simple user profile for every user that looks like:
>
>username        Crypt-Password = "Kkl8nasd_29bakJ"
>                Service-Type = Framed-User,
>                Framed-Protocol = PPP,
>                Ascend-Maximum-Call-Duration = 120

Interesting - which RADIUS are you using?  They vary in capabilities,
and few support Crypt-Password.

>Our users are staff members and students.
>
>We want ONLY staff to be able to authenticate through the two new 
>Maxen... but both staff and students to be able to use the existing 
>Max4000.
>
>Can somebody tell how I can achieve this with RADIUS and the Maxen?

Perhaps your RADIUS supports 'Group' as a check item?  In that case you
could make to system groups - staff and students, or even just one for staff.
I'm basing this on Lucent RADIUS 2.0.1 (on UNIX) since I know it best - but
you can only legally use that if you own a PortMaster.

If not, something like this:

username	Auth-Type = Local, Crypt-Password = "Kkl8nasd_29bakJ", NAS-IP-Address = 1.1.1.1
		Service-Type = Framed-User,
		Framed-Protocol = PPP,
		Ascend-Maximum-Call-Duration = 120

username	Auth-Type = Local, Crypt-Password = "Kkl8nasd_29bakJ", NAS-IP-Address = 1.1.1.2
		Service-Type = Framed-User,
		Framed-Protocol = PPP,
		Ascend-Maximum-Call-Duration = 120

DEFAULT		Auth-Type = Reject, NAS-IP-Address = 1.1.1.1

DEFAULT		Auth-Type = Reject, NAS-IP-Address = 1.1.1.2

username	Auth-Type = Local, Crypt-Password = "Kkl8nasd_29bakJ"
		Service-Type = Framed-User,
		Framed-Protocol = PPP,
		Ascend-Maximum-Call-Duration = 120


The first two entries check the user first on one MAX (1.1.1.1 - this is the
IP of course), and then the other.  The second two reject anyone else who 
tries to connect from those units.  (Note, of course any who should be allowed
must be listed BEFORE the DEFAULT entries.)  Then the last would start the
general listing for the other units.

This could be MUCH cleaner if you can use the system password files and the
Group check item.

DEFAULT	Auth-Type = System, Group = "staff", NAS-IP-Address = 1.1.1.1
	Service-Type = Framed-User,
	Framed-Protocol = PPP,
	Ascend-Maximum-Call-Duration = 120

DEFAULT	Auth-Type = System, Group = "staff", NAS-IP-Address = 1.1.1.2
	Service-Type = Framed-User,
	Framed-Protocol = PPP,
	Ascend-Maximum-Call-Duration = 120

DEFAULT	Auth-Type = Reject, NAS-IP-Address = 1.1.1.1

DEFAULT	Auth-Type = Reject, NAS-IP-Address = 1.1.1.2

DEFAULT	Auth-Type = System
	Service-Type = Framed-User,
	Framed-Protocol = PPP,
	Ascend-Maximum-Call-Duration = 120


That's all.  The first two handle anyone in group 'staff' for the two
restricted chassis, the second two reject anyone not in that group on those
chassis, and the last entry is everyone on the other chassis.

-MZ
-- 
<URL:mailto:megazone@megazone.org> Gweep, author, webmaster, human being, me
"A little nonsense now and then, is relished by the wisest men" 781-788-0130
<URL:mailto:megazone@gweep.net> <URL:http://www.megazone.org/> Hail Discordia!

++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

Prev by Date: (ASCEND) Static Default Route (fwd)
Next by Date: (ASCEND) max6k 100Mb FD?
Prev by thread: Re: (ASCEND) max6k 100Mb FD?
Next by thread: (ASCEND) Static Default Route (fwd)
Index(es):
- Main
- Thread