Huntgroups, Users and Proxy
I am going in circles here and not getting anywhere. I will try to
describe what I want to do starting with huntgroups.
huntgroup:
All NAS-IP-Address == 10.213.226.1
All NAS-IP-Address == 10.213.226.2
All NAS-IP-Address == 10.213.226.3
All NAS-IP-Address == 192.168.224.5
All NAS-IP-Address == 192.168.224.36
All NAS-IP-Address == 172.213.226.46
Bldg1 NAS-IP-Address == 10.213.226.1
Bldg1 NAS-IP-Address == 10.213.226.2
Bldg1 NAS-IP-Address == 10.213.226.3
Bldg1 NAS-IP-Address == 192.168.224.5
Bldg1 NAS-IP-Address == 192.168.224.36
Bldg2 NAS-IP-Address == 172.213.226.46
UnitA NAS-IP-Address == 10.213.226.1
UnitA NAS-IP-Address == 10.213.226.2
UnitA NAS-IP-Address == 10.213.226.3
UnitA NAS-IP-Address == 172.213.226.46
UnitB NAS-IP-Address == 192.168.224.5
UnitB NAS-IP-Address == 192.168.224.36
UnitB NAS-IP-Address == 172.213.226.46
UnitAB NAS-IP-Address == 172.213.226.46
TypeVPN NAS-IP-Address == 192.168.224.5
TypeGW NAS-IP-Address == 192.168.224.36
===========================
Now, what I need is multiple proxy statements for each. For example I want
For each group below, in addition to what is listed, I want default to
fall through to (proxy to):
realm DEFAULT {
type = radius
authhost = highered.edu
accthost = highered.edu
nostrip
===================
"All" Authenticate with a Null Realm
or
Authenticate user@generic.edu
"Bldg1" Authenticate with a Null Realm
or
Authenticate user@generic.edu
"UnitA" Authenticate with user@unita.generic.edu
or
Authenticate with Null Realm
or
Authenticate user@generic.edu
But NOT
user@unitb.generic.edu
"UnitB" Authenticate with user@unitb.generic.edu
or
Authenticate with Null Realm
or
Authenticate user@generic.edu
but NOT
user@unita.generic.edu
"UnitAB" Authenticate with user@unita.generic.edu
or
Authenticate with user@unitb.generic.edu
or
user@generic.edu
or
Null realm
"TypeVPN" Authenticate ONLY with Null Realm
So I can add these as DEFAULT users in the users file, based on
huntgroup, but from there I am at a loss as to what entry to put and the
config in proxy.conf to match.
I think I could do the following
users:
DEFAULT Huntgroup-Name == TypeVPN, Proxy-To-Realm := realm1.edu
DEFAULT Huntgroup-Name == TypeGW, Proxy-To-Realm := realm2.edu
DEFAULT Huntgroup-Name == UnitAB, Proxy-To-Realm := realm3.edu
DEFAULT Huntgroup-Name == UnitA, Proxy-To-Realm := realm4.edu
DEFAULT Huntgroup-Name == UnitB, Proxy-To-Realm := realm5.edu
DEFAULT Huntgroup-Name == BLDG1, Proxy-To-Realm := realm6.edu
DEFAULT Huntgroup-Name == Bldg2, Proxy-To-Realm := realm7.edu
DEFAULT Huntgroup-Name == All, Proxy-To-Realm := realm8.edu
But how can I get them to only allow certain @realms? Is there a way to
define in here something like this?
DEFAULT Huntgroup-Name == UnitA, *@unita.generic.edu Proxy-To-Realm :=
realm4.edu
but then in proxy.conf how can I keep it so it does not allow UnitA
users to authenticate on UnitB NAS's (unless it is a UnitAB)but still
allows user@generic.edu, Null and DEFAULT proxy as mentioned above?
I have looked at the mailing list and found many setups, but none seem
to take into account the actual realm a user tries to log into.
Thanks.
--
Walter Reynolds
Principle Systems Security Development Engineer
Information Technology Central Services
University of Michigan
(734)615-9438
This archive was generated by a fusion of
Pipermail (Mailman edition) and
MHonArc.