[j-nsp] RADIUS returning class|permissions information

Adam Szymajda aszymajd at wp.pl
Wed Feb 4 09:19:05 EST 2004

Hi all,

I have a question: is it possible for RADIUS server to send an 
information about user-class or at least permissions bits that 
are set for a particular user back to Juniper? Because there are 
only three Juniper VSAs defined (Juniper-Local-User-Name, 
Juniper-Allow-Commands and Juniper-Deny-Commands), there are 
only two solutions that came to my mind:

1) after I authenticate on a RADIUS (e.g as 'adam at juniper') it 
returns another user name back to the router (e.g 'test') that 
is locally configured and belongs to an appropriate class. That 
works fine up to the moment of issuing a "request routing-engine 
login other-routing-engine" command. The router lets me to the 
other RE as user 'test' instead of 'adam at juniper'. But that 
takes away the possibility to distinguish between the users 
belonging to the same class on that RE. And I'm really anxious 
to have that possibility so this ain't a good solution
2) to translate all the permissions bits (e.g configure, 
control, interface-control etc) to the the regular expressions 
and supply the result to RADIUS. All users have their own 
Juniper-Allow-Commands and Juniper-Deny-Commands VSAs defined as 
set of those regexps. But that's quite a nasty job to do... 
Is there any solution that is not so complex?

Best Regards,

Czy Święty Walenty ma już Walentynkowe prezenty? 
Nie??? Wstąp do nas!

More information about the juniper-nsp mailing list