The RADIUS users file on the RADIUS server stores authentication and authorization information for all users authenticated with RADIUS. Each user has an entry which consists of three parts: the username, a list of check items, and a list of reply items. For example:
bob Password = "ge55ep"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Framed-IP-Netmask = 255.255.255.255,
Framed-Routing = None,
Framed-Compression = Van-Jacobson-TCP-IP,
Filter-Id = "std.ppp",
Framed-MTU = 1500
Note - Several common user entries are listed in "Examples." All check items and reply items are listed in the Check and Reply Item Table.
Each user entry must have a username. As stated in the previous section, a username must consist of up to 63 non-whitespace printable ASCII characters.
Check items may consist of any of the following: password information, client information, prefixes, or suffixes.
Two different password characteristics may be specified in a user entry; the password's location, and its expiration date.
The Auth-Type check item is used to specify the type of authentication to use for a particular user. Auth-Type may be set to one of the following: Local, System, or SecurID. If this check item is omitted from the user entry, Local is assumed.
bob Auth-Type = Local, Password = "ge55ep"
Note - When a user's password is stored locally, the Auth-Type check item may be omitted; only the Password check item is required.
bob Auth-Type = System
The System Auth-Type is equivalent to the RADIUS 1.16 Password = "UNIX", which is also permitted in RADIUS 2.0 for backwards compatibility.
bob Password = "UNIX"
bob Auth-Type = SecurID
To receive a passcode from SecurID, the ACE/Server software must be running on the same UNIX host as the RADIUS server. In this case, the RADIUS server serves as an ACE/Server Master. If the ACE/Server Master is installed on a different host, the RADIUS server must be configured as an ACE/Server Slave. See "SecurID Installation" for instructions.
To disable logins after a particular date, complete the following steps.
bob Password = "ge55gep", Expiration = "Dec 04 1996"
VALUE Server-Config Password-Expiration 30 VALUE Server-Config Password-Warning 5
The first parameter, Password-Expiration, updates the Expiration date in the users file when a user changes his password. In this example, Password-Expiration is set to 30. If user bob changes his password on January 1, 1997, his Expiration date in the users file changes to Jan 31, 1997.
Password-Warning controls when users are notified that their accounts are about to expire. In the example above, users receive warning messages 5 days before their password expiration date.
Note - A mechanism to permit users to change their passwords is outside the scope of RADIUS. RADIUS 2.0 supports radpass for backwards compatibility with sites supporting that feature, however, use of radpass is not recommended and support will be removed in a future release of RADIUS.
The NAS-IP-Address check item specifies the IP address of a particular PortMaster. When this setting is used as a check item in a user entry, the user must be attempting to start a connection on the specified PortMaster in order for the connection to succeed.
The NAS-Port check item may be used to specify a particular PortMaster port. To be successfully authenticated, the user must be attempting to log into this port.
The NAS-Port-Type check item may be used to specify the type of port. Options for the NAS-Port-Type are as follows: Async, Sync, ISDN, ISDN-V120, or ISDN-V110. The PortMaster must run ComOS release 3.3.1 or later to support NAS-Port-Type.
The following example displays a user entry containing the NAS-IP-Address and NAS-Port-Type settings.
bob Password = "ge55gep", NAS-IP-Address = 192.168.1.54, NAS-Port-Type = ISDN
Service-Type = Framed-User,
Framed-Protocol = PPP
The Prefix and Suffix check items allow a user to access multiple services by prepending or appending a series of characters to his username.
Prefixes and Suffixes are most useful when defined in the DEFAULT user entry (see the example below), however, they may also be used with individual user entries. Prefix and Suffix strings must consist of 16 or fewer alphanumeric printable ASCII characters.
Pbob Auth-Type = System, Prefix = "P"
Framed-Protocol = PPP,
In the above example, bob's username and password are stored in a system password file. In order for bob to use this particular account, he must specify a username of Pbob when attempting to connect to the PortMaster.
The RADIUS server strips any prefixes and suffixes and looks up the username. Using the previous example, the RADIUS server would strip the P and check the system password for bob.
DEFAULT Auth-Type = System, Suffix = "%slip"
Framed-Protocol = SLIP,
If bob specified a username of bob%slip, the RADIUS server would configure bob's connection using the settings in the DEFAULT entry.
Reply items are sent to the PortMaster to provide information about the type of service to provide the user.
The type of service provided to the user, called the Service-Type, must be specified in each user entry. Service-Type must be set to one of these values:
| Service-Type | Explanation |
|---|---|
| Login-User | User connects via Telnet, Rlogin, pmd, or TCP-Clear. |
| Framed-User | User uses PPP or SLIP for the connection. |
| Outbound-User | User uses Telnet for outbound connections. |
| Callback-Login-User | The PortMaster verifies the user's identity by disconnecting the port and dialing the user back at a specified number. The user's identity must be verified before the connection is permitted. |
| Callback-Framed-User | The Portmaster verifies the user's identity by disconnecting the port and dialing the user back using a specified Location Table entry. When the user's identity is verified, PPP or SLIP is used for the connection. |
Note - To configure the callback number or location, see "Callback Information."
In the following example, user bob's Service-Type is Framed-User.
bob Auth-Type = System
Service-Type = Framed-User
When the Service-Type is Framed-User, the Framed-Protocol reply item should be included in the user entry to indicate whether PPP or SLIP is used. For example, user bob is a PPP user. His user entry includes the following lines:
bob Auth-Type = System
Service-Type = Framed-User,
Framed-Protocol = PPP
Framed-Protocol can also be used as a reply item requiring PPP autodetection by the PortMaster.
bob Auth-Type = System, Framed-Protocol = PPP
Service-Type = Framed-User,
Framed-Protocol = PPP
To authenticate a user using PAP, set the Auth-Type to any of the following: Local, System, or SecurID. To authenticate a user using CHAP, the Auth-Type must be Local and PAP must be turned off using the following command on the PortMaster:
set pap off
The Framed-IP-Address reply item is used to specify the user's IP address.
When Framed-IP-Address is set to 255.255.255.255, the PortMaster negotiates the address with the end-node (dial-in user). When it is set to 255.255.255.254 (or omitted), the PortMaster assigns an IP address to the dial-in user from the Assigned Address Pool.
Note - To create an Assigned Address Pool for the PortMaster, see the Configuration Guide for PortMaster Products.
A netmask may be specified for a user using the Framed-IP-Netmask reply item. If this reply item is omitted, the default subnet mask of 255.255.255.255 is used.
The Framed-Route reply item adds a route to the PortMaster's routing table when service to the user begins. Three pieces of information are required; the destination IP address, gateway IP address, and metric. An example is shown below.
bob Auth-Type = System
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 150.128.1.1,
Framed-Route = "150.128.1.0 150.128.1.1 1"
In this example, 150.128.1.0 is the IP address of a destination network. 150.128.1.1 is the IP address of the gateway for this network, and 1 is the metric (hop count).
If 0.0.0.0 is specified as the gateway IP address, the user's IP address is substituted for the gateway.
The Outbound-User setting allows a user to gain outbound access to network device ports using Telnet. This feature is supported in ComOS version 3.3.2 or later and RADIUS 2.0. In order to use this feature, the port must be set to device /dev/network or twoway /dev/network.
To restrict users to outbound access, Service-Type = Outbound-User must be a check item in the user entry. The Login-TCP-Port setting may be used to specify the TCP port for the connection; the port must be between 10000 and 10100. An example is displayed below.
bob Password = "ge55gep", Service-Type = Outbound-User
Service-Type = Outbound-User,
Login-Service = Telnet,
Login-TCP-Port = 10000
Using the above example, when user bob is attempting an outbound connection, the PortMaster client checks its local User Table for an entry for bob. If bob is not found in the table, the PortMaster sends an access-request to the RADIUS server indicating that bob is an Outbound-User.
The RADIUS server examines bob's entry in the users file; if Outbound-User is included as a reply item, the PortMaster is notified to permit the connection.
The PortMaster should be configured as shown in the example below. This example configures port s1, however, multiple ports may be configured to listen at different TCP port numbers or at the same TCP port number to create a pool of devices.
set s1 device /dev/network set s1 service_device telnet 10000 set s1 modem off
In order for a user to be authenticated using callback, a phone number or location must be specified in the user's entry.
When a user's Service-Type is Callback-Login-User, a phone number must be specified using the Callback-Number reply item.
bob Password = "ge55gep"
Service-Type = Callback-Login-User,
Callback-Number = "9,1-800-555-1212"
After the RADIUS verifies the password for user bob, it sends an access-accept message including the Callback-Number to the PortMaster. The PortMaster calls the user back at the specified number; if the user is reached successfully, the PortMaster asks the user to re-enter his password and then sets up the connection.
When a user's service type is Callback-Framed-User, a location must be specified using the Callback-Id setting. An example is displayed below.
bob Password = "ge55gep"
Service-Type = Callback-Framed-User,
Callback-Id = "bobhome"
After the RADIUS server verifies the password for user bob, it sends an access-accept message including the Callback-Id to the PortMaster. The PortMaster checks its local Location Table; if there is a matching location name, it makes the connection using that location's settings.
Note - Creating Location Table entries is covered in "Configuring Dial-Out Locations" in the Configuration Guide for PortMaster Products.
The Framed-Routing reply item controls how RIP is used on the user's interface. RIP options include:
The following example displays user bob's user entry. Framed-Routing is set to None; bob's interface neither sends nor listens for RIP updates.
bob Password = "ge55gep"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Routing = None
Typically, Framed-Routing is set to Broadcast-Listen for connections to other routers, and set to None for user connections.
Each PPP or SLIP user authenticated with RADIUS may be associated with packet filters using the Filter-Id reply item. In the following example, the user filter is used during bob's connection.
bob Password = "ge55gep"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Filter-Id = "user"
Filters must be defined on each PortMaster the user accesses. To control whether the filter restricts incoming or outgoing traffic, the filter defined on the PortMaster must have an .in or .out suffix attached to its name. In the above example, the filter user.in is used as a filter for packets entering the PortMaster via the interface, and user.out is used as an output filter for packets leaving the PortMaster via the interface.
The .in and .out suffixes do not need to be specified in the user entry. When a user dials in to the PortMaster, the .in or .out suffix is automatically appended to the filter name provided by RADIUS.
Note - To configure filters on a PortMaster, see the "Configuring Filters" chapter of the Configuration Guide for PortMaster Products.
Each host prompt login user authenticated with RADIUS may be associated with an access filter using the Filter-Id reply item. In the following example, the gnric filter is used to restrict the hosts that bob may access during a connection:
bob Password = "ge55gep"
Service-Type = Login-User,
Login-IP-Host = 255.255.255.255,
Login-Service = Telnet,
Login-TCP-Port = 23,
Filter-Id = "gnric"
Access filters must be defined on each PortMaster the user accesses, using the same name as the Filter-Id. The access filter name defined in the user record must be exactly the same as the filter name defined on the PortMaster. The PortMaster does not append anything to the name of an access filter, unlike packet filters.
When a user's Service-Type is Login-User or Callback-Login-User, two pieces of information may be supplied: the service used to connect to the host, and the name or IP address of the remote host. A TCP port number may optionally be supplied.
To specify the login service, use the Login-Service reply item. Login-Service values are:
The name or IP address of the remote host is specified using the Login-IP-Host reply item. If the user is to log into a particular TCP port on the remote host, the port number may be specified using the Login-TCP-Port reply item.
An example is displayed below. In this entry, user bob is authenticated, then called back at the Callback-Number. If successfully authenticated, a Telnet connection to port 23 on host 192.168.1.76 is established.
bob Password = "ge55gep"
Service-Type = Callback-Login-User,
Login-IP-Host = 192.168.1.76,
Login-Service = Telnet,
Login-TCP-Port = 23,
Callback-Number = "9,1-800-555-1234"
If Login-IP-Host is set to 0.0.0.0 or omitted, the host defined for the port is used. If Login-IP-Host is set to 255.255.255.255, the user is presented with a Host: prompt; the user enters the hostname or the host's IP address at this prompt.
The Framed-MTU reply item configures the Maximum Transmission Unit for a user's connection.
Framed-MTU = 1500
Framed-MTU is only used for PPP and SLIP connections. For PPP connections, the Framed-MTU may be between 100 and 1520 bytes. SLIP connections may have an MTU between 100 and 1006 bytes. On IPX networks, Framed-MTU should be set to at least 600 bytes.
Note - If PPP negotiates an MTU for the connection, the Framed-MTU setting is ignored.
Van Jacobson TCP/IP Header Compression is enabled by default. To disable compression, set the Framed-Compression setting to None.
Framed-Compression = None
When an IPX network is used for a particular user's connection, the Framed-IPX-Network reply item must appear in the user entry. The PortMaster supports IPX over PPP.
Framed-IPX-Network must be specified in dotted quad format (xx.xx.xx.xx). For example, the hexadecimal network number 123456 must be expressed as 0.18.52.86.
bob Password = "testing"
Service-Type = Framed-User,
Framed-Protocol = PPP
Framed-IPX-Network = 0.18.52.86
To convert an IPX hexadecimal network number to dotted quad format, use the following PERL script:
#!/usr/local/bin/perl
# hex - convert ip addresses to hexadecimal and vice versa
for (@ARGV) {
if (/\./) { # convert . to hex
@octets = split(/\./,$_);
for $octet (@octets) {
printf "%02X",$octet;
}
print "\n";
} else { # convert hex to .
$buf = '';
while (s/\w\w//) {
$buf .= hex($&).'.';
}
$buf =~ s/\.$/\n/;
print $buf;
}
}
This section describes the reply items introduced in RADIUS 2.0. To use RADIUS 2.0, all PortMaster clients must be using ComOS version 3.3.1 or later. ComOS version 3.3.3 or later is recommended.
Session-Timeout specifies the time limit for a session. When this reply item appears in a user entry, the user is disconnected when the time limit is reached.
Session-Timeout is specified as a particular number of seconds, up to a maximum of 31536000 (1 year).
bob Password = "ge55gep"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Session-Timeout = 7200
In the above example, user bob is automatically disconnected after 7200 seconds (2 hours).
The Idle-Timeout specifies the time a session may be idle before it is disconnected. Idle-Timeout is specified as a number of seconds between 120 (2 minutes) and 14400 (4 hours), and is rounded down to a multiple of 60.
bob Password = "ge55gep"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Idle-Timeout = 600
In the above example, if the session is inactive longer than 600 seconds (10 minutes), user bob is disconnected.
Note - Idle-Timeout and Session-Timeout values are specified in seconds in the RADIUS users file. If these timeout values are set using the PortMaster command line interface or PMconsole, they are specified in minutes.
The Port-Limit reply item controls the maximum number of ports available for a Multilink PPP or Multilink V.120 connection. Port-Limit only applies to ISDN connections; other connection types are not affected.
The Port-Limit value may be as high as the maximum number of B channels available for the ISDN ports. For example, if a PortMaster has 15 ISDN BRI ports, the Port-Limit value may be as high as 30.
bob Password = "ge55gep", NAS-Port-Type = ISDN
Service-Type = Framed-User,
Framed-Protocol = PPP,
Port-Limit = 1
In the above example, user bob's connection may use only one B channel.
When the RADIUS server receives a username/password pair from a PortMaster, the RADIUS server scans the users file for a match, starting from the top of the file. If a match is located, the user is authenticated using the information in that user entry. If a matching user entry is not found during the scan, but a matching DEFAULT entry is located, that entry is used.
The DEFAULT entry is typically used with Auth-Type System or SecurID. These entries should appear at the end of the users file; the RADIUS server stops scanning entries when a matching DEFAULT entry is found.
DEFAULT Auth-Type = System
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Framed-Routing = None,
Filter-Id = "user",
Framed-MTU = 1500
For example, user bob's password is stored in a UNIX password file. When he attempts to connect to the network, the RADIUS server scans the users file to determine if there is a matching user entry. If a matching entry is not found before the DEFAULT entry is found, the DEFAULT entry is used. Since the DEFAULT entry includes Framed-Protocol = PPP as a reply item, PPP is used for bob's connection.
Note - In RADIUS version 1.16, only one DEFAULT entry was permitted.
RADIUS 2.0 permits multiple DEFAULT user entries. To distinguish between DEFAULT entries, the Prefix and Suffix settings are used. When users prepend or append the Prefix or Suffix to their username, the RADIUS server matches them to the corresponding DEFAULT entry.
DEFAULT Auth-Type = System, Prefix = "P"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Framed-Routing = None,
Framed-MTU = 1500
DEFAULT Auth-Type = System, Suffix = "%C"
Service-Type = Framed-User,
Framed-Protocol = SLIP,
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 1006
DEFAULT Auth-Type = System, Prefix = "S"
Service-Type = Framed-User,
Framed-Protocol = SLIP,
Framed-IP-Address = 255.255.255.254,
Framed-Compression = None,
Framed-MTU = 1006
In the above example, assume that user bob's password is stored in a UNIX password file and that there is not a matching entry in the RADIUS users file. If bob uses Pbob as his username, the first DEFAULT entry is used, and bob is authenticated as a PPP user. If bob logs in as bob%C, the second DEFAULT entry is used and he is authenticated as a CSLIP user.
DEFAULT entries may be named simply DEFAULT, or they may have a number appended to the end of the entry name, for example, DEFAULT1, DEFAULT2, etc. An example is shown below.
DEFAULT1 Auth-Type = System, Prefix = "P"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Framed-Routing = None,
Framed-MTU = 1500
DEFAULT2 Auth-Type = System, Suffix = "%C"
Service-Type = Framed-User,
Framed-Protocol = SLIP,
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 1006
DEFAULT3 Auth-Type = System, Prefix = "S"
Service-Type = Framed-User,
Framed-Protocol = SLIP,
Framed-IP-Address = 255.255.255.254,
Framed-Compression = None,
Framed-MTU = 1006
The builddbm utility included with RADIUS converts the users text file to the UNIX DBM format, which increases the speed of user lookups. Livingston recommends the use of the builddbm utility when the users file contains more than 500 users.
To run builddbm, use the following commands:
cd /etc/raddb ./builddbm
To run the radiusd daemon after the users file is converted to DBM, execute radiusd with the -b option.
/etc/radiusd -b
builddbm generates the users.dir and users.pag files, which are used by the radiusd daemon. On some versions of UNIX a users.db file is created instead.
Note - After the users file has been converted to the DBM format, builddbm must be run again if any changes are made to the user entries.
The following table lists all user entry check and reply items.
| Item | Options | Explanation | May be Used as Check item? | May be Used as Reply item? |
|---|---|---|---|---|
| User-Name | . | User's name. May be up to 63 characters. | N/A | No |
| Password | . | User's password | Yes | No |
| Auth-Type | Local | User's password is stored in the RADIUS users file. Default. | Yes | No |
| System | User's password is stored in a system password file. | Yes | No | |
| SecurID | User is authenticated via SecurID. | Yes | No | |
| Expiration | Must be specified in "Mmm dd yyyy" format | Date that user's password expires. | Yes | No |
| Prefix | String of characters in double quotes | Prepended to username to match a user to a particular user entry. Used primarily for DEFAULT entries. | Yes | No |
| Suffix | String of characters in double quotes | Appended to username to match a user to a particular user entry. Used primarily for DEFAULT entries. | Yes | No |
| NAS-IP-Address | IP address | PortMaster's IP address. | Yes | No |
| NAS-Port | Number | The PortMaster port number that the user is dialed into (for example, 2 = S2) | Yes | No |
| NAS-Port-Type | ISDN | ISDN Port | Yes | No |
| Async | Asynchronous Port | Yes | No | |
| Sync | Synchronous Port | Yes | No | |
| ISDN-V120 | ISDN in V.120 mode | Yes | No | |
| ISDN-V110 | ISDN in V.110 mode | Yes | No | |
| Service-Type | Login-User | User connects via Telnet, Rlogin, PortMaster, or TCP-Clear login service. | No | Yes |
| Framed-User | User uses PPP or SLIP for the connection. | Yes | Yes | |
| Outbound-User | User uses Telnet for outbound connections. | Yes | Yes | |
| Callback-Login-User | Calls user back and connects via Telnet, Rlogin, PortMaster, or TCP-Clear login service. | No | Yes | |
| Callback-Framed-User | Calls user back and establishes a Framed connection (PPP or SLIP). | No | Yes | |
| Login-Service | Telnet | Establishes a Telnet connection to the remote host. | No | Yes |
| Rlogin | Establishes an Rlogin connection to the remote host. | No | Yes | |
| TCP-Clear | Establishes a TCP clear connection to the remote host. | No | Yes | |
| PortMaster | Establishes a connection to the remote host using the PortMaster login service. | No | Yes | |
| Login-IP-Host | IP address | Address of the remote host. | No | Yes |
| Login-TCP-Port | TCP port number | TCP port number of the Login-Service | No | Yes |
| Framed-Protocol | PPP | PPP is used for the connection. | Yes | Yes |
| SLIP | SLIP is used for the connection. | No | Yes | |
| Framed-IP-Address | IP Address | The user's IP address. | No | Yes |
| Framed-IP-Netmask | Netmask | The user's netmask. | No | Yes |
| Framed-Routing | None | Disables RIP on the interface. | No | Yes |
| Broadcast | The interface sends RIP updates. | No | Yes | |
| Listen | The interface listens to RIP updates. | No | Yes | |
| Broadcast-Listen | The interface sends and listens to RIP updates. | No | Yes | |
| Filter-Id | Filter name | Filter name to be used for packet or access filtering on the interface. | No | Yes |
| Framed-MTU | Number | Number of bytes in Maximum Transmission Unit | No | Yes |
| Framed-Compression | None | If this reply item is omitted, Van Jacobson TCP/IP header compression is used. | No | Yes |
| Van-Jacobson-TCP-IP | Van Jacobson TCP/IP header compression is used for the connection. Default. | No | Yes | |
| Reply-Message | Text message in double quotes (" ") | Display a message to user after authentication | No | Yes |
| Callback-Number | Phone number in double quotes (" ") | Specify only for Service-Type = Callback-Login-User | No | Yes |
| Callback-Id | Location name in double quotes (" ") | Specify only for Service-Type = Callback-Framed-User | No | Yes |
| Framed-IPX-Network | Dotted quad IPX network number | IPX network number | No | Yes |
| Port-Limit | Number | Specify the number of B channels a user might have for ISDN MP or multilink V.120 | No | Yes |
| Session-Timeout | In seconds | Specify the time limit for a session | No | Yes |
| Idle-Timeout | In seconds | Specify the idle time limit for a session | No | Yes |
| Menu | Menu name in double quotes (" ") | Define a menu in a user record | No | Yes |
| Termination-Menu | Menu name in double quotes (" ") | Menu to display after service is terminated. This item can only be set in a menu. | No | Yes |
User entries may be configured in a number of ways to fit network security requirements. The following examples illustrate a series of typical RADIUS user entries.
This example illustrates a typical RADIUS entry for a PPP user.
bob Password = "ge55gep"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Framed-Routing = None,
Framed-Compression = Van-Jacobson-TCP-IP,
Framed-MTU = 1500,
Filter-Id = "user"
In this example, user bob has password ge55gep. He is a Framed-User, which indicates that he uses SLIP or PPP for his connections. The following line, Framed-Protocol, specifies PPP. An IP address of 255.255.255.254 is specified, indicating that an IP address is assigned to bob from the PortMaster Assigned Address Pool.
Note - To create an Assigned Address Pool, see the Configuration Guide for PortMaster Products.
Framed-Routing is set to None, which disables RIP for bob's interface. RIP packets are not sent or listened for. Van Jacobson TCP/IP compression is used for the connection, and the MTU (Maximum Transmission Unit) is set to 1500.
The Filter-Id identifies the packet filter used for the connection; if they exist on the PortMaster, user.in is used as an input filter and user.out is used as an output filter.
Creating multiple DEFAULT entries can eliminate the time required to create multiple accounts for users. Users prepend or append the prefix or suffix to their username when they attempt to log into the PortMaster; the RADIUS server uses these prefixes and suffixes to match the user to the corresponding DEFAULT entry.
In the following example, the user file contains four DEFAULT entries; one entry for PPP, SLIP, CSLIP, and Telnet users.
DEFAULT1 Auth-Type = System, Prefix = "P"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Framed-Routing = None,
Filter-Id = "user",
Framed-MTU = 1500
DEFAULT2 Auth-Type = System, Prefix = "S"
Service-Type = Framed-User,
Framed-Protocol = SLIP,
Framed-IP-Address = 255.255.255.254,
Framed-Compression = None
DEFAULT3 Auth-Type = System, Prefix = "C"
Service-Type = Framed-User,
Framed-Protocol = SLIP,
Framed-IP-Address = 255.255.255.254,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT4 Auth-Type = System
Service-Type = Login-User,
Login-IP-Host = 172.16.1.4,
Login-Service = Telnet
If user bob enters Pbob as his username, he is authenticated as a PPP user. If he enters Sbob as a username, he is authenticated as a SLIP user. If he enters bob as a username, he is authenticated as a Telnet user.
/ Prev / Next / TOC / Preface / Overview / Server / Client / User / Menu / SecurID / Accounting / Troubleshooting /