Re: (ASCEND) radius menus without ascend-menu-item (fwd)

[basher@alpha.ces.cwru.edu (Tim Basher)]

> Sounded to me like what was being asked as for dialin user menus.

You are correct.  Part of my problem with the initial question was the
assumption that a vendor's RADIUS server specific feature was a standard
RADIUS attribute, when it is not.  "Menu" is no more standard than the
Merit "Authentication-Type" or the Ascend "Time-Of-Day" or the Radiator
"Expiration" or ....  Because they are server specific features, they
are not normally discussed in the NAS documentation and they are not
standardized (though they may frequently be duplicated).

> > I am curious to know how you would accomplish the equivalent of the
> > following functionality in a vendor neutral way using only the RFC
> > Access-Challenge with RFC Reply-Message attributes.
> 
> You wouldn't.  Most products deal with this by having some kind of 'show
> only' user who can execute such commands but not set anything.  Cisco has
> several levels, Lucent has Admin-User and NAS-Prompt-User - the first is
> the same as root, the second has only viewing privs and cannot change
> a config.  A lot more flexible then menu choices.

You have a strange idea of "more flexible".  Especially since an Ascend
can do *both* (I am assuming you are aware of Security->Security profiles).
I fail to see how presenting someone the *option* to use an easy-to-use
menu that strictly limits the choices of commands and avoids forcing the
naive user to remember or learn the commands or options is *less* flexible
than not offering the option.

> Of course, Ascend could also do this in an RFC valid way - like using a
> VSA instead of a bogus attribute number.

You will be happy to know that you will have that option as of 7.0, assuming
the 7.0 beta release notes are correct.

  Subject: (ASCEND) 7.0b6 for Max family
   * Radius Vendor-Specific Attribute (VSA) support
  http://archives.real-time.com/ascend_user_group/msg20349.html

> So a VSA would be a better choice, if this is truly needed.

I believe that was the reason why Ascend made the choice to use a vendor
specific attribute to provide the new functionality (even if they did not
initially encapsulate it in a Vendor-Specific attribute).

++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

---

Follow-Ups:

• Re: (ASCEND) radius menus without ascend-menu-item (fwd)
• From: Troy Settle <rewt@i-Plus.net>

---

• Prev by Date: Re: (ASCEND) radius menus without ascend-menu-item (fwd)
• Next by Date: (ASCEND) 5,000 URL Search Engine Submissions - $99 !!! *AD*
• Prev by thread: Re: (ASCEND) radius menus without ascend-menu-item (fwd)
• Next by thread: Re: (ASCEND) radius menus without ascend-menu-item (fwd)
• Index(es):
  • Main
  • Thread