Implement different access levels when using Radius authentication


#1

Right now, when you turn on Radius authentication instead of using the local admin and user accounts, all users authenticated through Radius are given admin rights and the local “admin” and “user” accounts are disabled, so you lose the ability to have read-only credentials. One way to maintain the two levels of access while using Radius authentication is to honor the “Service Type” parameter in Radius, and give admin access to credentials with service type 6 (Administrative) and read-only level to credentials with service type 7 (NAS Prompt). This is how HP does it. There’s a toggle setting for honoring the service type or not, and if it’s enabled, then each user’s level of access to the admin interface is determined by the service type returned by the Radius server when it accepts the credentials.



#2

Peplink grants user permission by the Vendor-Specific Attribute (AVP Type 26) value returned by the Radius server instead.

Vendor ID for Peplink is 23695. And the attribute name is Peplink-Webadmin-Login. The value is an integer. 1 specifies read-only user access. 2 specifies read-write full admin access.

This is supported since firmware 5.4.7 but I reckon it isn’t properly explained in the help text and user manual. We will update this. Thanks for the heads-up, ahopkins.


#3

For your reference, here is the dictionary of FreeRADIUS for vendor Peplink and Pepwave

VENDOR Peplink 23695 Peplink

ATTRIBUTE Peplink-Webadmin-Login 1 integer Peplink
ATTRIBUTE Peplink-Webadmin-Login-Readonly 2 string Peplink
ATTRIBUTE Peplink-Webadmin-Login-Readwrite 3 string Peplink

VALUE Peplink-Webadmin-Login Readonly 1
VALUE Peplink-Webadmin-Login Read-Write 2

VENDOR Pepwave 27662 Pepwave

ATTRIBUTE Pepwave-Webadmin-Login 1 integer Pepwave
ATTRIBUTE Pepwave-Webadmin-Login-Readonly 2 string Pepwave
ATTRIBUTE Pepwave-Webadmin-Login-Readwrite 3 string Pepwave

VALUE Pepwave-Webadmin-Login Readonly 1
VALUE Pepwave-Webadmin-Login Read-Write 2