Trying to wrap my head around FreeRadius config

Moe, John jmoe at hatch.com.au
Thu Jul 21 07:48:34 CEST 2011 

> -----Original Message-----
> > 1.) Use only ntlm_auth.  If necessary you can use "require-membership-
> > of" (I forget exact syntax) to ensure only members of "Network Admins"
> > can get a cli on your network gear.  It will also work for 802.1x
>
> >From what I've read, require-membership-of is a switch to ntlm_auth, and 
> >(if
> I've understood these things properly) I'm going to need to create multiple
> instances of the "exec" module, one for each group I'm going to want to use
> as a check.  Hopefully, someone can tell me if I've got this right.

Actually, looking into this a bit more, I think I need to use an if block. 
Something like:

if (nlm_auth with --require-membership-of testing against an AD group 
succeeds) {
  update {
    # HP ProCurve switches want a Service-Type of Administrative for manager 
access
    Service-Type := 6
  }
  # I think/assume this add Access-Accept to the reply items, and marks it as 
"handled"?
  ok
}
elsif (nlm_auth with --require-membership-of testing against another AD group 
succeeds) {
  update {
    # HP ProCurve switches want a Service-Type of NAS Prompt for operator 
access
    Service-Type := 7
  }
  # See comment for "ok" above
  ok
}
# I don't think this else block is needed at all?
else {
  # Not handled, let processing continue
  noop
}

Does this look right?  How do I configure the checking in the parenthesis? 
I'm assuming I don't just put 
"nlm_auth --require-membership-of=DOMAIN\\GROUP1 --username=%{mschap:User-Name} 
 --password=%{User-Password}" in the parenthesis?


John H. Moe
Network Support - Hatch IT
HATCH
Tel: +61 (7) 3166 7777
Direct: +61 (7) 3166 7684
Fax: +61 (7) 3368 3754
Mobile: +61 438 772 425
61 Petrie Terrace, Brisbane, Queensland Australia 4011

*****************************
NOTICE - This message from Hatch is intended only for the use of the individual or entity to which it is addressed and may contain information which is privileged, confidential or proprietary. 
Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. By communicating with us via e-mail, you accept such risks.  When addressed to our clients, any information, drawings, opinions or advice (collectively, "information") contained in this e-mail is subject to the terms and conditions expressed in the governing agreements.  Where no such agreement exists, the recipient shall neither rely upon nor disclose to others, such information without our written consent.  Unless otherwise agreed, we do not assume any liability with respect to the accuracy or completeness of the information set out in this e-mail.  If you have received this message in error, please notify us immediately by return e-mail and destroy and delete the message from your computer.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5549 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110721/d826dfa5/attachment.bin>

More information about the Freeradius-Users mailing list