[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Pam and radius

>>> Cristian Gafton wrote
> Not yet. The RADIUS protocol can not be used by default to handle user
> authetication out of the box. You will need to improve the RADIUS server
> to tell the client about user home dir, uid, shell, etc. Or another option

The Merit code (haven't looked at the Livinston stuff) allows you to
define arbitrary attributes for a user. We use this to put uid+gid in
there. the home directory can be generated (eg /home/u/username, or
/home/u/s/username, or whatever). We dont allow shell access. It depends
what you're trying to do. IMHO, the only application for radius-only
authentication is for large numbers of users, all with exactly the same
sort of access (eg mail + ftp only)

> will be to have /etc/passwd lying around and instead of keeping passwords
> in the shadow file you test them against the RADIUS server. I prefer the

Ick. I dont like this. I want to be able to move users between machines 
without having to mess about with large flat files of passwd information.
(there's also a problem that doing passwds restricts you to only one set
of users per box - what if you want to allow fred@domain.com, and 
fred@otherdomain.com to both access the box seperately? They're in
different radius realms, but you're going to have to do some exceptionally
ugly hackery to get a passwd file to work for this.

> later, and this is what I am implementing now. However, there are some
> problems waiting to be solved - adding users - you have to add the
> passwords to the RADIUS server too, and radius protocol does not allow
> this; - changing passwords - idem; managing failure states - what if the
> radius server is not responding ?

Fallback servers. Change the client code to fallback to a different server
if the first doesn't respond. User management must be handled out of band.

ciscos support fallback servers, I'm assuming other brands of NAS do,
as well.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []