On Jul 10, 2019, at 9:35 AM, Kees Bakker via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Meanwhile we have found another suggestion which seems to be working. But it remains magic.
It does what you want. :)
In sites-available/default we have this
authorize { ... ldap if ((ok || updated) && User-Password) { update { control:Auth-Type := ldap } } group_authorization
Basically "If the user was found in LDAP, AND they were trying to authenticate with a clear-text password, THEN use LDAP bind for authentication". The only magic is the technical bits tying it all together.
In mods-config/preprocess/huntgroups we defined a new huntgroup
ourgw NAS-IP-Address == 172.16.16.1
You shouldn't need to do that. You can just check the NAS-IP-Address directly.
In a new file policy.d/group_authorization we have
#--------------------------------------------------------------------------------------- group_authorization { if (&Huntgroup-Name == "ourgw") { if (&LDAP-Group[*] == "cn=vpn_users,cn=groups,cn=accounts,$SUFFIX") { ok } else { update reply { &Reply-Message := "Not authorized for VPN" } reject } } else { update reply { &Reply-Message := "Not authorized for unknown huntgroup" } reject } } #---------------------------------------------------------------------------------------
This is working for us. But I must say that we don't know if the rejects in the else parts are correct.
It's a little complex. You can simplify it by noticing that "reject" means "reject NOW and stop processing the packet". Which means tat you can do the following. Though I'm not clear why you need to check for a known client. The "clients.conf" file already checks for that. group_authorization { # # don't check huntgroup, just check NAS IP # if (NAS-IP-Address != 172.16.16.1) { reject } # # If the user isn't in this LDAP group, reject # if (LDAP-Group != "cn=vpn_users,cn=groups,cn=accounts,$SUFFIX") { reject } ok } Much simpler.
We do have a problem that the Cisco does not look at its local users anymore (if the radius server is present).
That's an issue for the Cisco documentation. But typically, the NAS does local *or* remote users. The NAS may have one "fall-back" user which can log in when the RADIUS server isn't available. But that's it. Alan DeKok.