Jan-Frode Myklebust wrote:
I want to use freeradius to authenticate different groups of users (from LDAP) to sets of network devices, potentially with different access levels, but have a bit hard time understanding how this is supposed to be configured. Would be nice with some advice..
Write out the rules in plain english. Then, translate them into "unlang". The translation is fairly direct.
What I have so far is:
# Give ldap group "firewall" super-user privilege on juniper firewalls: DEFAULT Ldap-Group == "cn=firewall,cn=groups,cn=accounts,dc=example,dc=com" Auth-Type := LDAP Juniper-Local-User-Name := "super-users",
# Give ldap group "netadmin" "enable" access on cisco routers: DEFAULT Ldap-Group == "cn=netadmin,cn=groups,cn=accounts,dc=example,dc=com" Auth-Type := LDAP cisco-avpair = "shell:priv-lvl=15"
But this doesn't work for users that are member of both groups, so I need to say that the first rule is limited to a set of juniper devices, and the second is limited to a set of cisco devices.
Yes, the two rules don't check which client device is being used. They also don't check if the user is *asking* for administrator privilege.
What's the strategy we should use for expressing this? Is it possible without having to specify one rule for each NAS-IP-Address? I.e. being able to do some kind og grouping of clients to match on would be very helpful..
Add a 'type' for each client: client foo { ipaddr = x secret = type ... type = juniper } Then use "unlang": if ("%{client:type}" == "juniper") { // check if the user is ASKING for admin access if (LDAP-Group != cn=firewall,cn=groups,cn=accounts,dc=example,dc=com) { reject } update control { Auth-Type := LDAP } update reply { Juniper-Local-User-Name := "super-users" } } And you probably don't want to force "Auth-Type := LDAP". Just list "ldap" in the "authorize" section. Alan DeKok.