Web authentication via Radius

[Subhendu Ghosh]

On Wed, 24 Aug 2005, Tony wrote:

> We have a radius server that is used to authenticate staff logging onto our
> routers and switches, I’d like to be able to use the radius server to
> authenticate staff logging into the Nagios web interface also.
>
> I’ve been able to install the mod_auth_xradius module on our Nagios server
> and can get authentication working via the radius server without any
> problems, however any users I want to be able to access and view the Nagios
> pages needs to be added to the cgi.cfg file in all the relevant places.
>
> What would be good is not to have to add these usernames to the cgi.cfg file
> which means any new users that are added to the radius users database
> doesn’t also have to be added to the cgi.cfg file.
>
>
>
> So is there a way to just let Nagios give full access to all web functions
> as long as they pass the web authentication first without having to add the
> usernames into the cgi.cfg file?
>
> All users would be admin users anyway so they would not need to be limited
> to certain functions.
>
>
>
> I know we can give one login username/password to everyone but I’d like to
> be able to see who is logging in and keep track of what they are doing and
> with one generic username/password that would be hard to do.
>
>
>


use wildcard in cgi.cfg - for all the authorized_for* entries put in "*". 
This lets any user authenticated to the web server see/do stuff.

The ones of particular interest are:
authorized_for_all_services=*
authorized_for_all_hosts=*

This way they can see hosts and services for which they are not a contact.

-- 
-sg