Freeradius privilege separation
Josip Rodin
joy at entuzijast.net
Thu May 13 19:24:59 CEST 2010
On Thu, May 13, 2010 at 03:23:37PM +0200, Michał Dopierała wrote:
> It is possible in freeradius to have one user who has full privilege level
> to one equipment (one cisco router privilege lvl15), and limited privilege
> level to other equipment (other router with smaller privilege e.g. lvl10
> which will be configured on router)?
> How to separate it?
> My current configuration of users:
>
> mdopierala Auth-Type := PAP, Crypt-Password = "passwrd"
> Service-Type = "Administrative-User",
> Cisco-AVPair="shell:priv-lvl=15",
> Brocade-Auth-Role ="Administrator"
Yes, just answer differently to each client (router) by assigning them to
different virtual hosts.
You can probably keep the authentication part in the users file if you want,
but you can move the repetitive part of the authorization to unlang.
Then your per-user attributes can be checked automatically with logic such
as:
if ("%{reply:Service-Type}" == "Login-User") {
update reply {
Cisco-AVPair = "shell:priv-lvl=1"
}
}
elsif ("%{reply:Service-Type}" == "Administrative-User") {
update reply {
Cisco-AVPair = "shell:priv-lvl=15"
}
}
else {
reject
}
--
2. That which causes joy or happiness.
More information about the Freeradius-Users
mailing list