On Jun 25, 2017, at 1:10 AM, Darrain Waters <dwaters@bioteam.net> wrote:
I would like to map the group "admins" in the ldap directory, to the super-user account "admin-su" on a Juniper NAS. Likewise, map a directory group "net-ro" to the read-only account "admin-ro" on a juniper nas.
OK.
When a user attempts to log into a nas with ldap account, the request goes to radius which looks up the user group membership & password. If the ldap user belongs to group "admins" in the ldap directory, the user is granted super-user rights via admin-su account on the juniper nas. If a user attempts juniper nas login, and belongs to ldap "net-ro" group they are given "admin-ro" read-only access to the juniper nas.
That's clearer. So write that down as a series of statements and if / then / else checks: * when a user logs into the NAS, they do so with a name X, and password Y * that information is sent to FreeRADIUS in an Access-Request * FreeRADIUS checks to see if that name / password is OK, and rejects them if it's not OK. * if they are accepted, FreeRADIUS looks up their group information in LDAP * if they are in LDAP group "admins", FreeRADIUS should respond with Juniper-Local-User-Name = "admin-us" * else if they are in LDAP group "net-ro", FreeRADIUS should respond with Juniper-Local-User-Name = "admin-ro" Then, implement it piece by piece. Get LDAP authentication working. Then, get LDAP group checking working. That's done via the LDAP-Group attribute... You'll want to put the Juniper-Local-User-Name into the "post-auth" section, as that is run only after a user is authenticated. if (LDAP-Group == admins) { update reply { Juniper-Local-User-Name := "admin-us" } } You'll see that once you get the problem stated clearly, you can map that pretty directly into the FreeRADIUS configuration. Alan DeKok.