Any way to set device group in clients.conf?

Fri Aug 9 02:25:03 CEST 2019

On Aug 8, 2019, at 8:00 PM, Mike Ely <me at mikeely.org> wrote:
> 
> We're authenticating our users via AD using a combination of
> clients.conf and then a perl script in post-auth. This works fine with
> the exception that the device has to be defined in both clients.conf and
> the perl script. To avoid the possibility of mistakes I'm trying to
> remove this duplication if at all possible. After scouring the official
> documentation all afternoon as well as looking at external sources I'm
> nowhere closer to knowing how to do this than before.
> 
> Ideally I'd like to do something like this:
> 
> client router-a {
> 	ipaddr		= 1.2.3.4
> 	secret		= topsecret
> 	deviceclass	= NOC_only
> }

  You can do that.  A small secret is that the configuration files are a key-value store.  You can put pretty much anything you want in there, so long as the data follows the standard format.

> I'm not attached to "deviceclass" in any literal sense, just using it as
> an example of what I'm trying to accomplish. Ideally then the perl
> script could do what it normally does, which is to examine the
> authenticated request and authorize if the authenticated user is a
> member of the requisite group, only it's looking up the device's type
> from the original request rather than having to maintain a separate
> array of IP addresses which can get out of sync from clients.conf.

  You can use %{client:deviceclass} to get the deviceclass field from the configuration files.

  To use that in Perl, you will have to copy the value into an attribute.  Perl can't call the %{...} expansions, unfortunately.

> One thing I had considered was adding the bogus deviceclass attribute in
> clients.conf and just having the perl script read that out of the file,
> but then I ran into a stopper: among the many unforgivable bugs the
> Supermicro IPMI has in its radius stack is that it _always_ passes
> 127.0.0.1 as its NAS-IP-Address in the radius request:
> 
> (0) perl: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} ->
> '127.0.0.1'

  Yeah.  That's why we don't trust NAS-IP-Address.  It can be anything.

> Thus the perl script assumes that any request coming in with that
> attribute pair is an IPMI:
> 
> my @ipmi = '127.0.0.1';

  Look at Packet-Src-IP-Address to see which IP the packet came from.  Or, do:

	update request {
		Tmp-String-0 := "%{client:deviceclass}"
	}
	perl

  and then access Tmp-String-0 in the Perl module.  Which will contain the device class.

> Please forgive this digression, but I felt it useful to explain the sort
> of Catch-22 situation that I'm in with these IPMI devices. Any help
> figuring out how to get a device type set from clients.conf would be
> very welcome.

  You've got 70% of it already.  Just 3 lines of extra glue is all you need.

  Alan DeKok.