Re: Configuration of users file

Dale E. Reed Jr. ( (no email) )
Wed, 26 Mar 1997 22:50:45 -0800 (PST)

On Thu, 27 Mar 1997, Andrew Bilski wrote:

> My problem is that I am trying to understand Radius 2.0 see how close to
> it is the Radius NT and if Radius NT can do what I need to have done.

RadiusNT 1.16.60 is on a different path than Livingston's 2.0.
About 80% of the code is custom to us, and it addresses what
ISPs want. I'll also admit that the text file mode is not going
to be supported in the long term, and it will be re-written to
be geared around ODBC.

> Any help would be appreciated.
>
> 1) Does Radius NT 60 provide the enhanced functionality of Radius 2.0?
> Mainly does it do timeouts, NAS port and multiple DEFAULTs?

Timeouts has nothing to do with RadiusNT. Its an attribute issue
specific to the NAS. RadiusNT can send any attribute you want.

I don't know what you are looking for with NAS-Port?

Multiple defaults is not really THAT useful. I mean, come on.
Do you really have people logging in with that many options?
Most ISPs do strict PPP, period. In ODBC mode, you can specify
defaults per account type with specific ovverrides per user.
Its much more useful/easier than multiple defaults.

> 2) Can I have certain user accessing all port (ie including those with
> 56K modems) and others only selected ports? How would that done?
> What happens if there are 2 entries in the user file with the same name
> but different NASport check item?
>
> tom password = "123",NAS-port = 22
> session-timeout = 7200
> ...
> tom password = "123"
> ...

Well, I can't really address text mode. In ODBC, the new beta has
port access control per group/region/service type. This allows you
to specify quite a bit of control on port access.

> Can I use
>
> DEFAULT Auth-Type = Local, NAS-port = 22
> Session-Timeout = 1
>
> ... hoping that it, with association with my dual entry for the same
> caller tom above, would result in inactivity timeout of 1 second for all
> those callers who do not have special record for calling on port 22 and
> are calling on that port; meanwhile all those who do have such secondary
> record for calling on port 22 would have their timeout set in that
> record.

I don't follow what you are trying to accomplish here? Session-Timeout
is NOT idle. ODBC mode would simply reject the auth if they were
not allowed to use that port. The only reason I could see the above
it to just dump someone so they don't keep trying to re-auth. On
the PM/Ascend, you can't set idle/session to less that two minutes,
also.

> Still with me or am I not making any sense? Am I missing the boat, the
> ship?

I think I follow some.

> The Radius manual gives only examples for the usage of DEFAULT with
> association of prefix an suffix. Can I use DEFAULT to shorten my file
> and shorten the editing time by placing all defaults at the bottom and
> creating just one line per usr (with their name, pasword and epiration)
> Or is it how it is being done and I am basically asking if the circrle
> is round? :)

My first recommendation would be to use ODBC and dump the user
file. Anyone who is serious about RADIUS, should do that step
one, as anyone here using RadiusNT will atest to. This all this
becomes simpler to manage.

> If you know thorough answers to all those questions but have no time to
> answer them here then please call me at 703.648.0808 with your hourly
> consulting rate and I just might pay it.

$75/hour normally. :)

Dale