restricting access for users

alan walters alan at aillweecave.ie
Mon Jun 13 14:30:49 CEST 2005 

I have a configuration similar to your no one option.
>From readinr the huntgroups how to and the users how to, this seems to
be the most correct method to use.

I have a second issue with this in that the users file has a defulat
reject if the group is not matched. This also is not being used
correctly by freeradius. The user defaults into that if there group does
not match but does not get rejected.

Please can someone confirm these findings.

Regards

alan

-----Original Message-----
From: freeradius-users-bounces at lists.freeradius.org
[mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of
Martial VdB
Sent: 13 June 2005 13:06
To: freeradius-users at lists.freeradius.org
Subject: RE: restricting access for users

Hi Alan,

thank you for replying,

this is how I tried this before, I will try to keep this as short as 
possible.

1)
users:
bob       Password == "bob", Huntgroup-name == "diegem"
          Login-Service = 0,
          Vendor-Specific = 9,
          Reply-Message = "Hello, bob",
          Cisco-AVpair = "shell:priv-lvl=15",
          Service-Type = NAS-Prompt-User,

huntgroups:

diegem             NAS-IP-Address == 10.5.x.x
diegem             NAS-IP-Address == 10.5.x.x
diegem             NAS-IP-Address == 10.5.x.x
brussels            NAS-IP-Address == 10.2.x.x

I hoped that the nas ip addresses belonging to diegem where only
accessable 
for users who had Huntgroup-name == "diegem" in their config.  But this
did 
not seem to make a difference.

************************************************************************
**
2)
users:
DEFAULT   Auth-Type = System
          Login-Service = 0,
          Vendor-Specific = 9,
          Service-Type = NAS-Prompt-User,
          Cisco-AVpair = "shell:priv-lvl=15",
$enab15$
bob
bobke

huntgroups:

diegem             NAS-IP-Address == 10.5.x.x
diegem             NAS-IP-Address == 10.5.x.x
diegem             NAS-IP-Address == 10.5.x.x
                       Group == NOC,
brussels            NAS-IP-Address == 10.2.x.x

I made bob and bobke local users on my machine and added them to #
groups. 
bob to NOC and bobke to brussels.
bob:x:1005:1005::/home/bob:
bobke:x:1006:1006::/home/bobke:
NOC:x:1005:
brussels:x:1006:

If the user was not a member of group NOC he would be refused on the NAS

servers belonging to huntgroup diegem.Because diegem is linked to group
NOC 
(Group == NOC). This did not work either.

In both cases every user was allowed access as soon as the username and 
passwords checked out. I also had problems with nas ip addresses
belonging 
to more that 1 group. It looked like the groups are processed from top
to 
bottom and as soon as it hits the first entry of that address freeradius

allowes access.
But for my problem to be solved it should cache information like Group =
NOC 
or for example user_pool = diegem. And compare this information agains
an 
entry in
the users file like: user_pool=diegem or checking if on the system bob's

primary group is NOC.

I did several more combinations but I think one of these 2 should work. 
Perhaps I made a configuration error ?

Big thank you in advance ony for reading and getting into this problem.
If I 
was not clear enough please let me know.

Martial

>Yes this is my experience as well. Running v 1.0.2 there was nothing in
the 
>change log for 1.0.3 >to say this was fixed either.
>Just as a note when I posted these findings nothing came back.

>I was using an ldap backend as well. It would be great to have a
detailed 
>explaination of this one >and maybe confirmation that it is not working
or 
>wheather is it syntax that causes the problem

>Alan


>>From: "Martial VdB" <mdbnoc at hotmail.com>
>>Reply-To: FreeRadius users mailing list 
>><freeradius-users at lists.freeradius.org>
>>To: freeradius-users at lists.freeradius.org
>>Subject: restricting access for users
>>Date: Mon, 13 Jun 2005 09:22:14 +0200
>>
>>Hi there,
>>
>>I'm a newby here so forgive if I ask obvious questions.
>>
>>I'm trying to setup, wel actually I did setup FreeRADIUS Version 1.0.2
on 
>>a Linux Debian machine and it is working fine :)
>>But I need to achieve the following setup:
>>
>>We have # cisco routers and switches who are locally managed by on
site 
>>engineers. So these local engineers have to be able to log in to their

>>devices and not be allowed to log in to devices on other sites. Next
to 
>>these different site engineers there is a group called NOC. The NOC 
>>engineers need to access all devices on all sites.
>>
>>I've tried several setups by using the huntgroups and using system as 
>>authentication method but I can't get the huntgroup validation to
work. It 
>>looks like the huntgroups are just ignored. Everyone can just enter
any 
>>device as soon as their usrname and password is matched on the system.
>>
>>Did someone do a similar setup where users where restricted and with a

>>general group that needs access everywhere or can someone tell me how
I 
>>should take this on. It should be fairly easy I thought...
>>
>>
>>Thanks for your help, it is highly appreciated,
>>
>>Martial
>
>_________________________________________________________________
>Free blogging with MSN Spaces  http://spaces.msn.com/?mkt=nl-be
>
>- List info/subscribe/unsubscribe? See 
>http://www.freeradius.org/list/users.html

_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from
McAfee(r) 
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list