users文件的格式:
文件的每个条目由一个用户名开始,后面跟一个list of check items
下一行开始,都以一个tab 键开始,所以有缩进,是一个list of reply items
list of check items和list of reply items就是个“属性/值对
多个item(“属性/值对”)可以放在一行,但必须以逗号隔开
但reply item也可以定义为多行,这样除最末外其他行末就必须以逗号结尾(list of check items不需要逗号结尾),其实就是仍相当于一行。
格式如下:
username list of check items
list of reply items,
list of reply items,
list of reply items,
list of reply items,
list of reply items,
list of reply items
steve Cleartext-Password := "testing"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 172.16.3.33,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
users的运做原理:
第一行list of check items:用于match incoming request
通常list of check items用于match password
因为前面的username也可以用来match
这样等于是双match:
1.match username
2.match list of check items(password)
下面的list of reply items 会被写入reley并传回给用户
注意这些 reply items是一条写一个reply包,所以可能有多个relay包, 而不是一次写全了
例子:
steve Cleartext-Password := "testing"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 172.16.3.33,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
如果request的user-name是steve
并且其Cleartext-Password是testing
则第二行开始的的属性对加入reply发给用户
对第一行check item的匹配,不是认证,只是一种authorziation前的匹配,只为授权服务
Users操作符
第一行的check item 只能是==或 := ,偶尔用=(服务器属性如Auth-Type=...)
第二行以后的reply item 只能=
/usr/local/etc/raddb/users]:3 WARNING! Changing 'User-Password =' to 'User-Password ==' for comparing RADIUS attribute in check item list for user test
授权例子: router用户登录直接获得enable权限
[root@vmmac raddb]# cat /usr/local/etc/raddb/users
macg Cleartext-Password := "008421"
cisco-avpair ="shell:priv-lvl=15"
User Access Verification
Username: macg
Password:
3800-2> 只进入初级权限
3800-2>
重起radiusd
[root@vmmac raddb]# pgrep -l radius
5094 radiusd
[root@vmmac raddb]# kill -HUP 5094
User Access Verification
Username: mac
Password:
3800-2# 登录后直接进入特权权限,不经过enable
转载:http://bbs.07fly.com/forum.php?mod=viewthread&tid=128&extra=page%3D1