NAS login class to RADIUS authenticated ldap users
Alan DeKok
aland at deployingradius.com
Sun Jun 25 05:05:47 CEST 2017
On Jun 24, 2017, at 5:53 PM, Darrain Waters <dwaters at bioteam.net> wrote:
>
> I need to map ldap authenticated (389directory) users to juniper nas local
> accounts that all have different access rights. I clearly run the ldap
> module, and do a group search to verify a user can access based on group.
> Is it possible to take the group the ldap module finds and map it to a same
> named account on the juniper was ?
I'm not really sure what that means...
> I want to avoid using the remote user id on the juniper nas with the access
> class that I assign, and instead use the different accounts on the juniper
> nas which are different access levels:
>
> user-ro
> user-op
> user-su
Could you describe what you want to do using examples... i.e. what a user types when they login to the Juniper box, what's in the Access-Request, and what you want to be in the Access-Accept.
i.e. In order to configure it, you need to know what you want it to do. Once your requirements are written down, the solutions are usually pretty straightforward.
> I have not messed with the git pulled 3.0.14 config files other than ldap,
> clients.conf and users file. See radiusd -X below for run info. In my
> users file I have:
>
> DEFAULT LDAP-Group == "admins", Auth-Type := Accept
That lets users log in without doing password checks. This is likely not what you want.
> Junipers instructions are as follow, which I have tried:
Do those instructions work? If so, make small modifications to change them to do what you want.
Alan DeKok.
More information about the Freeradius-Users
mailing list