Versions Compared

Old Version 11

changes.mady.by.user Technical Service Specialist

Saved on

compared with

New Version 12

changes.mady.by.user Technical Service Specialist

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Configuration is carried out via device's web interface: "Main menu" >> "Preferences" >> "RADIUS".

Image RemovedImage Added

To enable user authentication via a Radius server, you need to check the box "Enable", and fill in the following fields:

...

Configuring the server using FreeRADIUS as an example 

FreeRADIUS server version 3.0 and higher uses the /etc/freeradius/3.0 directory for configuration files. Older versions may uses another directories, like /etc/raddb.

Authentication method - unencrypted authentication (PAP, SPAP).

...

1. Vendor glossary (for example, file "dictionary.localmust be placed in the directory /etc/raddbfreeradius/3.0,

Code Block
languagetext
titledictionary.local
#
# Vutlan dictionary of parameters.
#
VENDOR        Vutlan        39052
ATTRIBUTE    SRead            10    string        Vutlan
ATTRIBUTE    SWrite           11    string        Vutlan
ATTRIBUTE    CRead            12    string        Vutlan
ATTRIBUTE    CWrite           13    string        Vutlan
ATTRIBUTE    GRead            14    string        Vutlan
ATTRIBUTE    GWrite           15    string        Vutlan
ATTRIBUTE    RFU1             16    string        Vutlan
ATTRIBUTE    RFU2             17    string        Vutlan

...

2. The list of server clients is in the file  /etc/raddbfreeradius/3.0/clients.conf. Client's record looks like this:

Code Block
languagetext
title/etc/raddb/clients.conf
client 192.168.1.88 { 
   secret = password123 
}

...

3. User records are in the file./etc/raddbfreeradius/3.0/mods-config/files/authorize and are as follows:

Code Block
languagetext
title/etc/raddb/clients.confauthorize
username01 Cleartext-Password := "35675e68f4b5af7b995d9205ad0fc43842f16450" 
	SRead = "all,", 
	SWrite = "all,", 
	CRead = "all,", 
	CWrite = "all,", 
	GRead = "all,", 
	GWrite = "all,", 
	RFU1 = "something strange", 
	RFU2 = "anover something strange too"

...

Code Block
languagetext
title/etc/raddb/clients.confauthorize
username01 Cleartext-Password := "35675e68f4b5af7b995d9205ad0fc43842f16450", NAS-IP-Address == "192.168.1.88"
	SRead = "all,", 
	SWrite = "all,", 
	CRead = "all,", 
	CWrite = "all,", 
	GRead = "all,", 
	GWrite = "all,"

username01 Cleartext-Password := "35675e68f4b5af7b995d9205ad0fc43842f16450", NAS-IP-Address != "192.168.1.88"
	SRead = "all,", 
	SWrite = "devvirt,elements,log,logics,modules,notify,relays,sdcard,system,view,", 
	CRead = "all,", 
	CWrite = "all,", 
	GRead = "all,", 
	GWrite = "3001,3002,"

Here, when authorizing the user username01 through the device with IP-address 192.168.1.88, he will get full access rights to the device (all fields "all"). When authorization under the same username username01 from other devices (all IP-addresses except 192.168.1.88), the user will be limited in the rights of recording resources and groups of a device.

Run freeradius server by command freeradius -X for view full debug messages.

System access permissions

...

Accordingly, in the user profile, there are two types of lists: lists for read access and for write access  (both recording and reading).
В системе возможны три вида списков разрешений:
The system allows three types of permission lists :

...