Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
(ASCEND) NISplus + Radius = BUENO!
=),
Ok, figured it out thanks to a little help from dejanews. I had a
problem getting Radius to work at all using Sun's NIS+ - no passwd's were
being accepted from passwd.org_dir. I also had the problem of how to
disallow a few users that had accounts on that machine from being able to
log in via the Maxen. Here's what I did.
(1)
In /etc/nsswitch.conf:
passwd: files nisplus
passwd: compat
passwd_compat: nisplus
(2) Put a single `+' on the last line of /etc/passwd
This effectively put me in yp compatability mode. Radius sees nis+
passwords now. Strange witchcraft, I know, but hey, it worked.
NOTE: Leaving out the `passwd: files nisplus' will ALLOW radius logins,
but it will DISALLOW telnet/console login (!).
As for the problem of disallowing certain accounts from gaining net access
thru Radius - I used a helpful little patch for users.c in radiusd. It
augments the `users' file syntax so as to authenticate via group ids
(gid). Like so:
DEFAULT-100 Password="UNIX"
User-Service = Framed-User,
Framed-Protocol = PPP,
Ascend-Blah = Ascend-Blah-Blah
DEFAULT-101 Password="LOCKED"
Ascend-Data-Service = Switched-Voice-Bearer
Now Radius will check `users' for the specific username, not finding it
it'll look in /etc/passwd, still not finding it it'll look in NIS+. There
it'll id the username, find its gid, and deal with it accordingly. If
the user's gid=100 then it checks the passwd. Barring typo-stupidity
it'll then let them in. If the user's gid=101 it kicks them right then
and there.
I got the patch from Jason Ackley (jackley@taos.com). Apparently
Portmaster Radius has had this capability for a while now.
Thanks to all those who helped me out!
Hope this helps others,
jasonb.
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd: <http://www.nealis.net/ascend/faq>