Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The Manage your UW NetID Resources utility (https://uwnetid.washington.edu/manage/) provides an interface for departmental types to configure Radius clients for the UW-IT Radius servers.  In order for the Radius servers to hear about a new client device or to hear about changes to an existing client device, the Radius server needs to be shut down and started back up again with a new client configuration file.  The Manage Utility does not communicate directly with the Radius servers, but it maintains snippets that get merged into the Radius servers' client lists.  One Radius server acts as a Sandbox that the Manage Utility can bounce up and down when it has new configuration files for it.  The changes will propagate to the other Radius servers at some later time in a less disruptive manner.  You should do your testing with the sandbox Radius server and then switch to the other production servers when things are ironed out.

 


Table of Contents

Step 1: Choose a UW NetID

...

The Radius protocol sends packets back and forth with various Attribute-Value Pairs (AVPs).  There are a number of generic AVPs that apply to all device types.  These include such attributes as User-Name, User-Password,  Service-Type, Message-Authenticator, etc.  There are also Vendor Specific Attributes (VSAs) that only apply to certain devices made by particular vendors or manufacturers.  The VSAs are usually used to indicate the authorization levels.  Our Radius servers here in UW-IT support three levels of users, Normal, Superuser and Semi-Privileged which falls somewhere in between normal and superuser and VSAs are used to indicate which type of user is logging in.  To wit:

VendorVSANormalSemi-privilegedSuperuser
A10A10-Admin-Privilege"Read-Only-Admin""Read-Write-Admin""System-Admin"
Adva

Adva-User-Level

Adva-UUM-User-Level

"Retrieve"

"Monitor"

"Operate_Control"

"Operator"

"Admin"

"Admin"

APCAPC-Service-Type"ReadOnly""Device""Admin"
ArborArbor-Privilege-Level"system_user""system_analyst""system_admin"
CiscoCisco-AvPair"shell:priv-lvl=1""shell:priv-lvl=1""shell:priv-lvl=15"
F5

F5-LTM-User-Role

F5-LTM-User-Info

F5-LTM-User-Partition

F5-LTM-User-Shell

"Guest"

"guest"

"Common"

"disabled"

l"Operator"

"operator"

"Common"

"disabled"

"Administrator"

"admin"

"All"

"tmsh"

FortinetFortinet-Access-Profile"read_only""prof_admin""super_admin"
FoundryFoundry-Privilege-Level"5""5""0"
JuniperJuniper-Local-User-Name"noc""noc""ne"

If you have another vendor that absolutely needs a special VSA assertion, send some email to help@uw.edu.  Chances are you'll be happy with a vendor of Generic and the simple "Yes" or "No" response you get to the "Did this clown authenticate properly and is he authorized to log in here?" query.

...

The UW NetID groups authorization method uses up to four GWS groups (groups.uw.edu) to control who has access to your devices.  Effective members of the following groups get the indicated access:

GroupAccess
u_radius_authz_{netid}Normal user access
u_radius_authz_{netid}-l0Superuser access
u_radius_authz_{netid}-l1Semi-privileged access
u_radius_authz_{netid}-lxNo access (overrides membership in above groups)

Distinction between the different authorization levels either requires vendor specific AVPs or the ADMIN flag below.  Only the first group is required, the other groups can be empty or non-existent.  You can send an email message to help@uw.edu with RADIUS in the subject asking that these authorization groups get created.  We'll create all four groups; you can utilize the ones you need and ignore the others.  NB: It can take a few minutes before updates to these groups are reflected in the actual authorization settings for the users involved.

...

These option select an experimental feature that doesn't scale well.  They also override the authorization method used to determine who can access your device and use the Campus method instead.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 ELB

The ELB option enables membership in a series of groups (u_radius_elb-f5_{partition}) used by the Enterprise Load Balancing team to control who has access to the various partitions defined on the F5 BIG-IP device.






















       (this page intentionally left blank)

 

 

 

 

 

 

 

 

 

 

 

 













fin