How to restrict authorization to members of FreeIPA group

Alan DeKok aland at deployingradius.com
Wed Jul 10 21:17:08 CEST 2019


On Jul 10, 2019, at 9:35 AM, Kees Bakker via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> Meanwhile we have found another suggestion which seems
> to be working. But it remains magic.

  It does what you want. :)

> In sites-available/default we have this
> 
> authorize {
> ...
>         ldap
>         if ((ok || updated) && User-Password) {
>                 update {
>                         control:Auth-Type := ldap
>                 }
>         }
>         group_authorization

  Basically "If the user was found in LDAP, AND they were trying to authenticate with a clear-text password, THEN use LDAP bind for authentication".

  The only magic is the technical bits tying it all together.

> In mods-config/preprocess/huntgroups we defined a new
> huntgroup
> 
> ourgw            NAS-IP-Address == 172.16.16.1

  You shouldn't need to do that.  You can just check the NAS-IP-Address directly.

> In a new file policy.d/group_authorization we have
> 
> #---------------------------------------------------------------------------------------
> group_authorization {
>    if (&Huntgroup-Name == "ourgw") {
>      if (&LDAP-Group[*] == "cn=vpn_users,cn=groups,cn=accounts,$SUFFIX") {
>        ok
>      }
>      else {
>        update reply {
>          &Reply-Message := "Not authorized for VPN"
>        }
>        reject
>      }
>    }
>    else {
>       update reply {
>         &Reply-Message := "Not authorized for unknown huntgroup"
>       }
>       reject
>    }
> }
> #---------------------------------------------------------------------------------------
> 
> This is working for us. But I must say that we don't know if the rejects
> in the else parts are correct.

  It's a little complex.  You can simplify it by noticing that "reject" means "reject NOW and stop processing the packet".

  Which means tat you can do the following.  Though I'm not clear why you need to check for a known client.  The "clients.conf" file already checks for that.

group_authorization {
	#
	#  don't check huntgroup, just check NAS IP
	#
	if (NAS-IP-Address != 172.16.16.1) {
		reject
	}

	#
	#  If the user isn't in this LDAP group, reject
	#
	if (LDAP-Group != "cn=vpn_users,cn=groups,cn=accounts,$SUFFIX") {
		reject
	}

	ok
}

  Much simpler.

> We do have a problem that the Cisco does
> not look at its local users anymore (if the radius server is present).

  That's an issue for the Cisco documentation.

  But typically, the NAS does local *or* remote users.  The NAS may have one "fall-back" user which can log in when the RADIUS server isn't available.  But that's it.

  Alan DeKok.





More information about the Freeradius-Users mailing list