Return to BSD News archive
Newsgroups: comp.unix.bsd.bsdi.misc From: mschaff@host1.dia.net (Mitchell Schaff) Subject: BSDI 3.0/Radius Question X-Nntp-Posting-Host: 208.18.175.69 Message-ID: <5nnvkf$f6v@host1.dia.net> Lines: 63 Sender: news@data-io.com (Usenet news) Organization: Dakota Internet Access Date: Thu, 12 Jun 1997 04:57:51 GMT Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.cs.su.oz.au!inferno.mpx.com.au!news.ci.com.au!brian.telstra.net!act.news.telstra.net!news-out.internetmci.com!newsfeed.internetmci.com!news.dsource.com!cnn.isc-br.com!nwfocus.wa.com!nwnews.wa.com!entropy1!pilchuck!host1.dia.net!not-for-mail Xref: euryale.cc.adfa.oz.au comp.unix.bsd.bsdi.misc:7005 Hello. My name is Mitchell Schaff, and I am the sysop for an isp in western North Dakota. We are currently running BSDI 3.0 on our host machine, and are using Cisco 2511 router/access servers to provide dialup access to our subscribers. The subscribers currently dial into the routers, which display a menu upon connection. The subscriber has the option of starting a shell session, which does an rlogin to our host, or they can start a ppp session. The ppp session is validated by the host using the tacacs protocol. The tacacas system has worked really quite well thus far, but the cost of the routers and modems has forced us to look at alternative solutions. So we purchased a USRobotics NetServer/16, which uses the Radius method of validating users. The USR product does not allow the same menuing function- ality that the routers provide, but we can address that issue internally. One really nice thing about the tacacs software is that it verifies the userid and password using the master password in the /etc/master.passwd file, and requires no additional configuration once the daemon has started. Regardless of whether the user telnets, ftps, sends a mail via a pop mail client, or starts a ppp session, the password is always verified against the original /etc/master.passwd file. (Please forgive me if this information is obvious - I'd rather err on the side of providing too much info, rather than not enough.) Here's my problem/question. I'd like to do the same things with the radius software that I'm doing with the tacacs software, so that I can accommodate the NetServer hardware on the same host. The users who will be calling in on the NetServer will be in a completely different pool of dialup lines, so I'll always know what type of user (Radius or Tacacs) is dialing in, and I will configure them appropriately. Now, what I'm trying to find out is (1) how to configure my login.conf file so that if user tacuser signs in, he'll be verified via the tacacs software (ultimately using the /etc/passwd file), but if user raduser signs in, he'll be validated by radius. Initially, this seems like a no-brainer, since tacuser will always be connecting via the Cisco routers, and raduser will always be connecting via the Netserver. However, it gets more complicated, because once raduser is signed into the NetServer, he might then want to telnet to the BSDI host, or start an ftp session. Or even more likely, he'll want to send an email message, and his email client will need his password on the host. I don't know enough about radius and configuring the login.conf file to solve this problem, or know if it IS a problem or not. I read the manual pages on login.conf and login_radius, but I'm not familiar enough with unix to know how to change the login.conf file, or even what changes to put in. I understand that the default class will use /etc/passwd as the verification password, but I don't know how to tell the system that no matter how raduser logs in (telnet, ftp, rlogin, pop3, etc...) that the rpasswd file needs to be used, rather than the passwd file. The two unix administrator guides which I have looked through have no mention of radius, and don't discuss the login.conf file. I would really appreciate any help and/or information that anyone can provide. When I talked with the folks at BSDI tech support, the technician I talked with had no prior experience with radius, and simply referred me to the manual pages for login.conf. Armed with that knowledge, I'm stuck dead in the water. Thank you in advance for any help you might be able to provide. I will be more than happy to summarize all responses, and post them back to this newsgroup. Thanks again! And please reply to my email address, as well as this newsgroup. Mitchell Schaff mschaff@host1.dia.net Dakota Internet Access