[j-nsp] RADIUS returning class|permissions information
aszymajd at wp.pl
Wed Feb 4 09:19:05 EST 2004
I have a question: is it possible for RADIUS server to send an
information about user-class or at least permissions bits that
are set for a particular user back to Juniper? Because there are
only three Juniper VSAs defined (Juniper-Local-User-Name,
Juniper-Allow-Commands and Juniper-Deny-Commands), there are
only two solutions that came to my mind:
1) after I authenticate on a RADIUS (e.g as 'adam at juniper') it
returns another user name back to the router (e.g 'test') that
is locally configured and belongs to an appropriate class. That
works fine up to the moment of issuing a "request routing-engine
login other-routing-engine" command. The router lets me to the
other RE as user 'test' instead of 'adam at juniper'. But that
takes away the possibility to distinguish between the users
belonging to the same class on that RE. And I'm really anxious
to have that possibility so this ain't a good solution
2) to translate all the permissions bits (e.g configure,
control, interface-control etc) to the the regular expressions
and supply the result to RADIUS. All users have their own
Juniper-Allow-Commands and Juniper-Deny-Commands VSAs defined as
set of those regexps. But that's quite a nasty job to do...
Is there any solution that is not so complex?
Czy Święty Walenty ma już Walentynkowe prezenty?
Nie??? Wstąp do nas!
More information about the juniper-nsp