Two-Step LDAP authentication?

Alexander Clouter alex at digriz.org.uk
Thu Sep 16 15:02:54 CEST 2010


In article <BAY154-w6AE2B5874B5015E85E875C07A0 at phx.gbl> you wrote:
>
> I'm a new subcriber of this list. I'm trying to setup a radius server 
> with LDAP authentication; I've managed to authenticate a user (from a 
> Cisco Device), but my fellows from Security Department think that we 
> should have a two-step authentication:
>
Ask your security folk for *today* a list of people who may only 
administrator one selection of devices and not the other.  If they 
actually do not use the facility then it is a waste of time implementing 
it (it is easy enough to implement later on); I get the impression this 
is a "not needed but would be nice if this could be done". :)

Far more appropriate is to configure the switches to all log to a central 
syslog server (so you know who and when someone logged in and out) and 
configure something like RANCID to record the configuration changes.

...anyway, onto the problem.

> 1. User/password authentication, searching in 
> cn=users,ou=pepe,ou=jose,c=es
>
> 2. A compare request, searching a specific objectclass in the LDAP 
> tree.
>
> So, the idea is the following one: depending on the NAS-IP-Address, 
> not only to check for a correct password, but search the uid in an 
> objectclass called owner in the entry cn=deviceX,ou=pepe,ou=jose,c=es.
> 
> deviceX is the one with the source NAS-IP-Address. I Know how to 
> unlang using swicht statements, configuring differents ldap's modules 
> in the radius server, so I can write the basedn I want.
> 
> But how can do the step 2?
> 
The easiest approach is to create LDAP groups based on the 
NAS-IP-Address and then test to see if the user is a member of the group 
'%{NAS-IP-Address}'.  Once you create the LDAP groups and make the users 
members of them you can use unlang in your 'authorize' section in a 
manner like:

authorize {
	....

	ldap

	if (Ldap-Group != "%{NAS-IP-Address}") {
		update reply {
			Reply-Message := "no way kiddo"
		}
		reject
	}

	,,,,
}

This is off the top of my head but should give you what you are looking 
for; you will see in the output of 'freeradius -X' it doing what you 
roughly need.  The only problem I can see with it is that if you have a 
lot of switches to log into, the number of groups you have to add a user 
to becomes a real tedious process; this problem could be solved by using 
something like the following instead:

http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg59481.html
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg62699.html

Cheers

-- 
Alexander Clouter
.sigmonster says: I hate quotations.
                  		-- Ralph Waldo Emerson




More information about the Freeradius-Users mailing list