On Fri, Jul 24, 2015 at 10:03 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Jul 24, 2015, at 8:52 AM, D C <dc12078@gmail.com> wrote:
I've configured post-auth and the users file in such a way that I can log into devices with my ldap credentials ONLY if I am a member of one of 2 groups. My reply-item attributes are stored in ldap within the group, and all that is working great. Valid users who are not members of these defined groups get rejected. perfect.
That's good.
Now the tricky part. I have a third ldap group that i want to use in order to assign vpn access to people. so some users may be members of only the vpn group, and some maybe members of the superadmin group as well as the vpn group. This causes two problems.
1) If I add allow the vpn group, then vpn users will be able to login to network equipment which is definitely not desired.
Then allow the VPN group only if they're using the VPN services.
How does the RADIUS server know they're using VPN services? Run it in debugging mode, and see what the output is.
2) I don't currently have any way to determine within radius if a user is trying to login to the vpn, or if they are trying to ssh to my firewall.
Read the debug output. If users login to the VPN and send packet X, and login to the firewall and send packet Y... the two packets are different. You can key off of those differences to set the different policies.
If the two packets are identical, then it's *impossible* to run different services. Because FreeRADIUS can't tell that they're different services.
I'm not really sure what I should do to work around this. My only idea I've come up with (which I don't like), is to have my firewall set a different NAS-ip for the vpn users. If that is different, then I imagine I can probably write some login in post-auth to handle it. Is there a better way to do this.
That's the way to do it.
The radius configuration on my firewall will let me set the nas-ip, auth-type, which source ip to communicate with, and which destination port the radius server is listening on. I've not yet looked into how the virtual servers work in radius, so maybe I can setup a different port and config for my vpn users to auth against..
Using FreeRadius 2.1.12.
You should really upgrade...
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
So I got it working, kinda. Thanks to radiusd -X, I found that my fortigate appliance sends an attribute in the request called "Connect-Info" which distinguishes if it's and vpn login or a admin login. I can do something like this in post-auth which "works"..( ignore typos, i'm going off the top of my head here.) When the user is rejected, the behaviour i see is that I get one Login OK message, followed by two login failures. This is probably because I'm doing this in post-auth as I've read in other posts. I know if I do not allow the ldap group in my users file, I get a single failure with no repeat login attempts. My question is where can I apply this logic besides post-auth, so that I can handle it before I allow the login? switch Connect-Info { case "vpn-ssl" { if ((LDAP-Group == "vpngroup1") || (LDAP-Group == "vpngroup2") || (LDAP-Group == "vpngroup3")) { ok } else { update reply { Reply-Message += "VPN access denied by LDAP group membership." } reject } } case "admin-login" { if ((LDAP-Group == "admingroup1") || (LDAP-Group == "admingroup2")) { ok } else { update reply { Reply-Message += "Fortinet Admin access denied by LDAP group membership." } reject } } case { update reply { Reply-Message += "Unknown Connect-Info value. Go away." } reject } }