ssh radius auth without VSA
Posted: 08 Sep 2017 11:23
Hello,
I'm trying to have radius auth for administrators working without having to return the VSA.
I've read on this page https://wiki.freeradius.org/vendor/alcatel-lucent that we can return these attributes for full admin:
Xylan-Asa-Access = "all",
Xylan-Acce-Priv-F-W1 = 0xFFFFFFFF,
Xylan-Acce-Priv-F-W2 = 0xFFFFFFFF
This is fine, when I do this, it works.
My problem is that I need to have the auth working WITHOUT having to send these attributes.
Reading this documentation (http://enterprise.alcatel-lucent.com/as ... /os_sw.pdf) there is a user called "default" which I understand can be used for this. The document says on page 247 (9-9): The privilege default is particularly important for users who are authenticated via an ACE/Server, which only supplies username and password information; or for users who are authenticated via a RADIUS or LDAP server on which privileges are not configured.
So i've changed the settings of that "default" users to give him full rw access, but it refuse to work. My radius send a "request-accepted" but the switch does not let me in because the attributes are not present...
Any idea what is wrong? Or is just the documentation wrong? (or misunderstood by me
)
Thank you
I'm trying to have radius auth for administrators working without having to return the VSA.
I've read on this page https://wiki.freeradius.org/vendor/alcatel-lucent that we can return these attributes for full admin:
Xylan-Asa-Access = "all",
Xylan-Acce-Priv-F-W1 = 0xFFFFFFFF,
Xylan-Acce-Priv-F-W2 = 0xFFFFFFFF
This is fine, when I do this, it works.
My problem is that I need to have the auth working WITHOUT having to send these attributes.
Reading this documentation (http://enterprise.alcatel-lucent.com/as ... /os_sw.pdf) there is a user called "default" which I understand can be used for this. The document says on page 247 (9-9): The privilege default is particularly important for users who are authenticated via an ACE/Server, which only supplies username and password information; or for users who are authenticated via a RADIUS or LDAP server on which privileges are not configured.
So i've changed the settings of that "default" users to give him full rw access, but it refuse to work. My radius send a "request-accepted" but the switch does not let me in because the attributes are not present...
Any idea what is wrong? Or is just the documentation wrong? (or misunderstood by me
)Thank you