Right now, when you turn on Radius authentication instead of using the local admin and user accounts, all users authenticated through Radius are given admin rights and the local “admin” and “user” accounts are disabled, so you lose the ability to have read-only credentials. One way to maintain the two levels of access while using Radius authentication is to honor the “Service Type” parameter in Radius, and give admin access to credentials with service type 6 (Administrative) and read-only level to credentials with service type 7 (NAS Prompt). This is how HP does it. There’s a toggle setting for honoring the service type or not, and if it’s enabled, then each user’s level of access to the admin interface is determined by the service type returned by the Radius server when it accepts the credentials.
Peplink grants user permission by the Vendor-Specific Attribute (AVP Type 26) value returned by the Radius server instead.
Vendor ID for Peplink is 23695. And the attribute name is Peplink-Webadmin-Login. The value is an integer. 1 specifies read-only user access. 2 specifies read-write full admin access.
This is supported since firmware 5.4.7 but I reckon it isn’t properly explained in the help text and user manual. We will update this. Thanks for the heads-up, ahopkins.
For your reference, here is the dictionary of FreeRADIUS for vendor Peplink and Pepwave
VENDOR Peplink 23695 Peplink
ATTRIBUTE Peplink-Webadmin-Login 1 integer Peplink
ATTRIBUTE Peplink-Webadmin-Login-Readonly 2 string Peplink
ATTRIBUTE Peplink-Webadmin-Login-Readwrite 3 string Peplink
VALUE Peplink-Webadmin-Login Readonly 1
VALUE Peplink-Webadmin-Login Read-Write 2
VENDOR Pepwave 27662 Pepwave
ATTRIBUTE Pepwave-Webadmin-Login 1 integer Pepwave
ATTRIBUTE Pepwave-Webadmin-Login-Readonly 2 string Pepwave
ATTRIBUTE Pepwave-Webadmin-Login-Readwrite 3 string Pepwave
VALUE Pepwave-Webadmin-Login Readonly 1
VALUE Pepwave-Webadmin-Login Read-Write 2
We are looking for the attributes of the Peplink routers on the fortiauthenticator.
Thank you !!!