user.service patch and statis ip's

Michael C. Nerone (nerone@legend.txdirect.net)
Tue, 26 Sep 1995 18:58:42 -0500 (CDT)

I've been using Matthew Crocker's radiusd patches for about 4 months, and
it works great. I just have a couple of ideas for further patches by
anyone who thinks they could write them. I don't THINK you'd have much
trouble implementing it. A couple of these things have been talked about,
but no one has actually gotten around to doing, or suggesting a way to do
it.

For those of you who don't know, the patches I'm referring to simply let
somebody log in as user.service, and they get access settings from the
radius entry called DEFAULT.service (so there's DEFAULT.ppp, DEFAULT.slip,
DEFAULT.cslip, DEFAULT.shell, DEFAULT.uucp, etc.). My suggestion is this:

There should be a way to allow exceptions to the default settings.

Let me illustrate what I mean: Here is my current (workable) situation:
user = ppp (DEFAULT, because the vast majority use PPP)
user.ppp = ppp (in case they have previous knowledge and try this)
user.slip = slip
user.cslip = cslip
user.shell = telnet to unix machine
user.uucp = uucp service

When a user (jdoe) wants a static ip, I have to ask if he needs SLIP, and
add an full and explicit entry for "jdoe" in the users file. It would be
nice to set it up so both jdoe.ppp and jdoe.slip would assign his static
address. (I have some users who would like to log in from home and work,
but only SLIP is available at work, etc). Such a mechanism would
facilitate a few other useful additions, as I'll show below.

What I'd like to see is something like this entry:

jdoe.SETTINGS Password="abcdefg" (or whatever)
Framed-Address = 1.2.3.4

which would tell RADIUS that jdoe has a specified pw instead of a Unix-PW
(no matter what the service), and it should include the address
information in any access-accept packet (no matter what the service). If
there's a conflict, the SETTINGS should take precedence. I'm sure people
can see the usefulness of that, but here's a couple more things. Since
there's now a place to keep user-centric global settings, why not include
something like

mary.SETTINGS
User-Service-Allow = uucp,shell

In this case, RADIUS would only allow mary to log in as mary.uucp or
mary.shell. User-Service-Deny=uucp could also be helpful. Necessarily,
if mary doesn't specify a service, then if there is an entry just for
"mary" in the users file, then that service is always allowed. If there is
DEFAULT.DEFAULT no such entry, then obviously, DEFAULT.DEFAULT will be
allowed. You can still completely disable mary if you wish by just putting
and password she doesn't know in mary.SETTINGS.

Anyone else think this would be pretty cool, or am I all alone on this?
I'd write it myself if I had the time and skill.

Michael Nerone | Internet Direct, Inc. | http://www.txdirect.net
nerone@txdirect.net | 722-B Isom Rd. | Please direct all queries
| San Antonio, TX 78216 | to sales@txdirect.net.
| Voice: (210)308-9800 | Direct all tech questions
| Fax: (210)308-9240 | to support@txdirect.net
Any opinions expressed herein are my own and do
not necessarily reflect those of my employer.