On Jun 22, 2015, at 12:00 PM, Daniel Bray <dbray925@gmail.com> wrote:
I was thinking that a Freeradius solution would be a simple approach to get all the SSH devices (Linux and Cisco) pointing to a single server for authentication purposes.
RADIUS doesn't do UID, GID, home directory, etc. So it's probably not the correct choice for logging into Linux servers.
Here comes the issues I face. I got everything setup on a Linux server, and using MySQL as the backend. I'm also using daloRADIUS as the web frontend for management. I was able to get the test Linux servers PAM configured to point to the Freeradius server, and I can authenticate myself, and the other admins. However, it appears that, by default, all users can SSH into any of the NAS devices I've configured.
The default configuration of the server is to authenticate users. Which means all known users are allowed in.
This is the main issues I'm trying to solve. How, exactly, do I configure Freeradius to only allow certain vendor accounts SSH access into specific NAS devices?
You have to set up explicit lists of who's allowed to log in where. Put the data into an SQL table, and write a SELECT statement. Then, put that SELECT statement into the FreeRADIUS configuration. e.g. if you have a table of "user, NAS", you can do something like this: if (!"%{SELECT %{User-Name} from nas_control_table WHERE NAS = '%{NAS-IP-Address}' AND USER = '%{User-Name}'}) { reject } Which looks up the user by name and NAS IP. If the SQL statement returns nothing, reject. You'll have to create a correct schema, table, and query, of course. The above is just an example. Alan DeKok.