How to restrict authorization to members of FreeIPA group

Thu Jul 11 09:29:50 CEST 2019

On 10-07-19 21:17, Alan DeKok wrote:
> On Jul 10, 2019, at 9:35 AM, Kees Bakker via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>> Meanwhile we have found another suggestion which seems
>> to be working. But it remains magic.
>    It does what you want. :)

That's not how I want to use tools. :-)

>
>> In sites-available/default we have this
>>
>> authorize {
>> ...
>>          ldap
>>          if ((ok || updated) && User-Password) {
>>                  update {
>>                          control:Auth-Type := ldap
>>                  }
>>          }
>>          group_authorization
>    Basically "If the user was found in LDAP, AND they were trying to authenticate with a clear-text password, THEN use LDAP bind for authentication".
>
>    The only magic is the technical bits tying it all together.
>
>> In mods-config/preprocess/huntgroups we defined a new
>> huntgroup
>>
>> ourgw            NAS-IP-Address == 172.16.16.1
>    You shouldn't need to do that.  You can just check the NAS-IP-Address directly.
>
>> In a new file policy.d/group_authorization we have
>>
>> #---------------------------------------------------------------------------------------
>> group_authorization {
>>     if (&Huntgroup-Name == "ourgw") {
>>       if (&LDAP-Group[*] == "cn=vpn_users,cn=groups,cn=accounts,$SUFFIX") {
>>         ok
>>       }
>>       else {
>>         update reply {
>>           &Reply-Message := "Not authorized for VPN"
>>         }
>>         reject
>>       }
>>     }
>>     else {
>>        update reply {
>>          &Reply-Message := "Not authorized for unknown huntgroup"
>>        }
>>        reject
>>     }
>> }
>> #---------------------------------------------------------------------------------------
>>
>> This is working for us. But I must say that we don't know if the rejects
>> in the else parts are correct.
>    It's a little complex.  You can simplify it by noticing that "reject" means "reject NOW and stop processing the packet".
>
>    Which means tat you can do the following.  Though I'm not clear why you need to check for a known client.  The "clients.conf" file already checks for that.
>
> group_authorization {
> 	#
> 	#  don't check huntgroup, just check NAS IP
> 	#
> 	if (NAS-IP-Address != 172.16.16.1) {
> 		reject
> 	}
>
> 	#
> 	#  If the user isn't in this LDAP group, reject
> 	#
> 	if (LDAP-Group != "cn=vpn_users,cn=groups,cn=accounts,$SUFFIX") {
> 		reject
> 	}
>
> 	ok
> }
>
>    Much simpler.

Indeed. That makes sense.

>
>> We do have a problem that the Cisco does
>> not look at its local users anymore (if the radius server is present).
>    That's an issue for the Cisco documentation.
>
>    But typically, the NAS does local *or* remote users.  The NAS may have one "fall-back" user which can log in when the RADIUS server isn't available.  But that's it.
>
>    Alan DeKok.
>
Thanks
-- 
Kees Bakker