*BSD News Article 97771


Return to BSD News archive

Newsgroups: comp.unix.bsd.bsdi.misc
From: mschaff@host1.dia.net (Mitchell Schaff)
Subject: BSDI 3.0/Radius Question
X-Nntp-Posting-Host: 208.18.175.69
Message-ID: <5nnvkf$f6v@host1.dia.net>
Lines: 63
Sender: news@data-io.com (Usenet news)
Organization: Dakota Internet Access
Date: Thu, 12 Jun 1997 04:57:51 GMT
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.cs.su.oz.au!inferno.mpx.com.au!news.ci.com.au!brian.telstra.net!act.news.telstra.net!news-out.internetmci.com!newsfeed.internetmci.com!news.dsource.com!cnn.isc-br.com!nwfocus.wa.com!nwnews.wa.com!entropy1!pilchuck!host1.dia.net!not-for-mail
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.bsdi.misc:7005

Hello.  My name is Mitchell Schaff, and I am the sysop for an isp in
western North Dakota.  We are currently running BSDI 3.0 on our host
machine, and are using Cisco 2511 router/access servers to provide dialup
access to our subscribers.  The subscribers currently dial into the routers,
which display a menu upon connection.  The subscriber has the option of
starting a shell session, which does an rlogin to our host, or they can start
a ppp session.  The ppp session is validated by the host using the tacacs
protocol.

  The tacacas system has worked really quite well thus far, but the cost of
the routers and modems has forced us to look at alternative solutions.  So
we purchased a USRobotics NetServer/16, which uses the Radius method of
validating users.  The USR product does not allow the same menuing function-
ality that the routers provide, but we can address that issue internally.

  One really nice thing about the tacacs software is that it verifies the
userid and password using the master password in the /etc/master.passwd
file, and requires no additional configuration once the daemon has started.
Regardless of whether the user telnets, ftps, sends a mail via a pop mail
client, or starts a ppp session, the password is always verified against
the original /etc/master.passwd file.  (Please forgive me if this information
is obvious - I'd rather err on the side of providing too much info, rather
than not enough.)

  Here's my problem/question.  I'd like to do the same things with the radius
software that I'm doing with the tacacs software, so that I can accommodate
the NetServer hardware on the same host.  The users who will be calling in on
the NetServer will be in a completely different pool of dialup lines, so I'll
always know what type of user (Radius or Tacacs) is dialing in, and I will
configure them appropriately.  Now, what I'm trying to find out is (1) how
to configure my login.conf file so that if user tacuser signs in, he'll be
verified via the tacacs software (ultimately using the /etc/passwd file),
but if user raduser signs in, he'll be validated by radius.  Initially, this
seems like a no-brainer, since tacuser will always be connecting via the
Cisco routers, and raduser will always be connecting via the Netserver.
However, it gets more complicated, because once raduser is signed into the
NetServer, he might then want to telnet to the BSDI host, or start an ftp
session.  Or even more likely, he'll want to send an email message, and his
email client will need his password on the host.  I don't know enough about
radius and configuring the login.conf file to solve this problem, or know if
it IS a problem or not.  I read the manual pages on login.conf and
login_radius, but I'm not familiar enough with unix to know how to change the
login.conf file, or even what changes to put in.  I understand that the
default class will use /etc/passwd as the verification password, but I don't
know how to tell the system that no matter how raduser logs in (telnet, ftp,
rlogin, pop3, etc...) that the rpasswd file needs to be used, rather than the
passwd file.  The two unix administrator guides which I have looked through
have no mention of radius, and don't discuss the login.conf file.

I would really appreciate any help and/or information that anyone can provide.
When I talked with the folks at BSDI tech support, the technician I talked
with had no prior experience with radius, and simply referred me to the manual
pages for login.conf.  Armed with that knowledge, I'm stuck dead in the water.

Thank you in advance for any help you might be able to provide.  I will be
more than happy to summarize all responses, and post them back to this
newsgroup.  Thanks again!  And please reply to my email address, as well as
this newsgroup.

Mitchell Schaff
mschaff@host1.dia.net
Dakota Internet Access