How to differentiate between vpn user and appliance user?

[D C]

On Fri, Jul 24, 2015 at 8:02 AM, D C <dc12078 at gmail.com> wrote:

> I recently configured a radius server with openldap backend to handle
> central auth for all my network equipment.  The ldap module is using
> "radiusGroupName" as my groupmembership_attribute.
>
> I've configured post-auth  and the users file in such a way that I can log
> into devices with my ldap credentials ONLY if I am a member of one of 2
> groups.  My reply-item attributes are stored in ldap within the group, and
> all that is working great.  Valid users who are not members of these
> defined groups get rejected.  perfect.
>
> Now the tricky part.  I have a third ldap group that i want to use in
> order to assign vpn access to people. so some users may be members of only
> the vpn group, and some maybe members of the superadmin group as well as
> the vpn group.  This causes two problems.
>
> 1) If I add allow the vpn group, then vpn users will be able to login to
> network equipment which is definitely not desired.
>
> 2) I don't currently have any way to determine within radius if a user is
> trying to login to the vpn, or if they are trying to ssh to my firewall.
>
>
> I'm not really sure what I should do to work around this.  My only idea
> I've come up with (which I don't like), is to have my firewall set a
> different NAS-ip for the vpn users.  If that is different, then I imagine I
> can probably write some login in post-auth to handle it.  Is there a better
> way to do this.
>
>
> The radius configuration on my firewall will let me set the nas-ip,
> auth-type, which source ip to communicate with, and which destination port
> the radius server is listening on.  I've not yet looked into how the
> virtual servers work in radius, so maybe I can setup a different port and
> config for my vpn users to auth against..
>
>
> Using FreeRadius 2.1.12.
>
​Sorry for re posting,  I just realized I never set a subject...​