Hi,
I'm trying to get a DEC Server 700 setup to use RADIUS to authenticate
users from my AS2100. So far I have managed to get RADIUS working as
far as using passwords in the users files and matching passwords in
/etc/passwd when the password for the user is set to "UNIX".
What I can't seem to figure out is how to limit services using DEC's
Vendor-Specific tags. I haven't been able to figure out quite what
they are looking for from the NAS (Network Access) Software
documentation or from the RADIUS RFCs. I'm pretty sure it is just a
matter of getting format right.
The hardware involved is an AlphaServer 2100 and an eight port
DECServer 700. The AS2100 is acting as both the bootp host and the
RADIUS server for the DECServer 700. The boot image for the DS is the
WWENG2 file from the NAS 2.0 (NetRider) package. We didn't find out
until we got the NetRider software in that in order to manage users on
the DECServer you were supposed to also get the Digital Remote Access
Server software, which appears to be a RADIUS wrapper.
Since the NAS software is supposed to work with RADIUS, I pulled in a
copy of Livingston's freely available RADIUS server v.1.16. Aside from
these 'Vendor-Specific' tags it has be remarkably easy to install.
The tag I'm having problems with is #26 A.K.A 'Vendor-Specific'.
According to the draft v5 (7/96) RADIUS spec, vendor specific is
supposed to be formatted as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont) | Vendor type | Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attribute-Specific...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
I'm assuming that the RADIUS server will take care of mapping
"Vendor-Specific" to the value "26" for "type"in the appropriate format,
and will likewise take care of the length field for the over-all string,
prepending them to the remainder when the data is sent.
The DEC documentation provides an eight digit vendor ID (which should
work as a 32bit value if it is in HEX). The "vendor type" is "1" for
service permissions, and I assume that the v-length field is the length
(in bits?) of the attribute which follows.
In this case, the attribute is supposed to be comprised of "four
octets, interpreted as a 32-bit bit-vector." The 32bit number is made
up of a binary image mask, depending on what feature are enabled.
I'm OK up to this point, but I don't have any idea how the DECServer
expects this data to be formatted. One large binary number, a decimal
number, hex, a series of period separated octals?
If anyone has any experience doing this, I'd really appreciate it if
you could drop some hints my way. I'd prefer not to have to use the
DRAS software, for a couple of reasons: (1) DRAS requires that you
manage users from a PC, even if the server is running under UNIX. (2)
All of the functionality appears to be in the freely available RADIUS
server, which can be managed with simple text files on the UNIX
server.
Thanks in adavance,
Tom
--
+--------------------------------+------------------------------+
| Tom Webster | "Funny, I've never seen it |
| SysAdmin MDA-SSD ISS-IS-HB-S&O | do THAT before...." |
| webster_at_ssdpdc.mdc.com | - Any user support person |
+--------------------------------+------------------------------+
| Unless clearly stated otherwise all opinions are my own. |
+---------------------------------------------------------------+
Received on Thu Dec 05 1996 - 10:13:00 NZDT