Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
(ASCEND) Supporing multiple services with one RADIUS server
I would like to know if any of you have ran into this yet, and if so what
you did to solve this problem.
We are currently evaluating Steel-Belted RADIUS.
We would like to support VPN and Ascend Dial-In service using 1 RADIUS server.
All RADIUS authentication requests would be forwarded to NT.
Here is my dilema,
user_A belongs to the VPN NT group and needs x specific RADIUS reply attributes.
user_B belongs to the ASCEND NT group and needs y specific RADIUS reply
attributes.
user_C belongs to both the VPN and ASCEND NT group and
needs x specific RADIUS reply attributes when connecting through VPN,
but need y specific RADIUS reply attributes when dialing in through
ASCEND.
I think I can support user_A and user_B, using the NAS-Identifier IP address as
a check item.
But what do I do about user_C.
If I understand the way radius works, sequentially, or top down, then the
following will happen
if user_C is defined in the VPN NT group and the ASCEND NT group.
If user_C comes in through VPN and RADIUS goes sequentially down the "users"
file
and finds his account in the VPN NT group he is authenticated and given the
correct x attributes.
If user_C comes in the ASCEND and RADIUS goes sequentially down the "users"
file,
it find his name in the VPN NT group, but the NAS-Identifier check item is
invalid, so
authentication fails. RADIUS does not continue to look through the rest of the
"users" file to
find his other user_C account under the ASCEND NT group.
Sincerely,
Nelson Llabona
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd: <http://www.nealis.net/ascend/faq>