(no subject)
Mike May
mmay3 at nd.edu
Tue Nov 7 15:37:04 CET 2006
"Mike May" <mmay3 at nd.edu> wrote:
> Hello everyone, is it possible to have NAS entries for a subnet, if so
> could someone give me an example
raddb/clients.conf
Alan DeKok.
--
http://deployingradius.com <http://deployingradius.com/> - The web
site of the book
http://deployingradius.com/blog/ - The blog
Thanks for example Alan, I thought it may be helpful for me to provide you
some more information, I am not a Radius expert but have managed to keep a
somewhat large client base using radius. I currently use the clients file to
allow connections, but not to do any real authorization. Example of my
clients file is below, this is only a small section as my radius servers
handles modem pool, vpn, wireless, 802.1x etc and soon wired 802.1x. I use
LDAP/ Kerberos as the authn backend
I use huntgroup entries to point to matches in my users file see examples
below. in the users file is where I am using ldaps.conf to connect to the
directory servers, verifying what group the user is in and at the end authn
to Kerberos store. After the authn I set some authz like Cisco-AVPair =
"priv-lvl=15" used by Cisco routers and switches for network engineers who
live in the proper LDAP group, here is where the problem is. PIX firewalls
do not like me setting the priv lvl, and the reason is that the PIX will
only accept authz from a tacacs server(it seems like). What I need to do is
specify a "netauth" == NAS-IP-ADDRESS 192.168.20.0/23 subnet. Instead of
"netauth" == NAS-IP-ADDRESS 192.168.20.15, this way I can use my users file
and not set the Cisco priv lvl for those devices that live on the firewall
subnets.
Thank you for all your help
Mike
========= clients.conf=============================
#This are for network engineering devices (outside wireless and dialup)
# 2/20/06
client 172.16.255.2/29 {
secret
shortname = devicenet-15
}
client 172.16.240.0/20 {
secret =
shortname = devicenet-16
}
client 172.17.240.0/20 {
secret =
shortname = devicenet-17
}
client 172.18.240.0/20 {
secret =
shortname = devicenet-18
}
client 172.19.240.0/20 {
secret =
shortname = devicenet-19
}
client 172.20.240.0/20 {
secret =
shortname = devicenet-20
}
client 172.21.240.0/20 {
secret =
shortname = devicenet-21
}
client 172.22.240.0/20 {
secret =
shortname = devicenet-22
Huntgroups
wireless-prime NAS-IP-Address == xxx.xxx.xxx.xxx
wireless-backup NAS-IP-Address == xxx.xxx.xxx.xxx
spam1 NAS-IP-Address == xxx.xxx.xxx.xxx
spam2 NAS-IP-Address == xxx.xxx.xxx.xxx
ciscovpnadmin NAS-IP-Address == xxx.xxx.xxx.xxx
dialup8 NAS-IP-Address == xxx.xxx.xxx.xxx
ciscovpnadmin2 NAS-IP-Address == xxx.xxx.xxx.xxx
dialup9 NAS-IP-Address == xxx.xxx.xxx.xxx
dialup10 NAS-IP-Address == xxx.xxx.xxx.xxx
netautz NAS-Port-Type == "Virtual"
netautz_fw NAS-IP-Address == xxxx
netautz_fw1 NAS-IP-Address == xxxxx
===================================================
Users file
DEFAULT Huntgroup-Name == "netautz", Ldap-Group == ndeg6qr2, Autz-Type :=
ldap-vpn, Auth-Type := ldap-vpn
Service-Type = 6,
Cisco-AVPair = "priv-lvl=15",
Fall-Through = Yes
DEFAULT Huntgroup-Name == "netautz_fw", Ldap-Group == ndeg6qr2, Autz-Type :=
ldap-vpn, Auth-Type := ldap-vpn
Service-Type = 6,
Fall-Through = Yes
DEFAULT Huntgroup-Name == "netautz_fw1", Ldap-Group == ndeg6qr2, Autz-Type
:= ldap-vpn, Auth-Type := ldap-vpn
Service-Type = 6,
Fall-Through = Yes
# VPN Group Definition note please make additions at the begining of the
stanza not the end
DEFAULT Huntgroup-Name == "ciscovpnadmin", Hint =="NETENG", Ldap-Group ==
ndbx2jj5, Autz-Type := ldap-vpn, Auth-Type := ldap-vpn
CVPN3000-IPSec-Banner1 = "Welcome to VPN group NETENG!",
Class = "OU=neteng;",
Fall-Through = No
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061107/02ea793c/attachment.html>
More information about the Freeradius-Users
mailing list