This is exactly how I deployed it in my previous employer. I had a structure in LDAP for the source IP address so we mapped L aka location attribute in ldap the source IP to "Client shortname" and that was used to identify the element type. Then we did a search based on the user full DN in Group membership and "L" attribute to find out which group they were a part of. Then set an control attribute like tmp-string-0 as the element type and role or similar and log that to linelog so you know what role they were assigned when they got access I always intended to write up a blog post about how to do this as a cookbook. I really should do that sometime. On Fri, Jun 15, 2018 at 12:36 PM, Coy Hile <coy.hile@coyhile.com> wrote:
On Jun 14, 2018, at 8:01 PM, Laurent Dumont < ldumont@northernsysadmin.com> wrote:
Hi everyone.
We are currently experimenting with Radius and are looking to find a way to change the privilege levels when logging into a certain class of devices(and only these ones). Right now, we have the following setup.
1. Users attempts to log into a Cisco radius enable device. 2. Device starts the auth process with an Access-Request. 3. Freeradius checks the LDAP/FreeIPA backend and sends the reply with the VSA "“cisco-avpair" for the correct privilege level based on LDAP group membership.
That’s exactly how I would implement it. Based on a tuple (user, Device) or (userGroup, DeviceGroup), the LDAP server knows based on group memberships which user group(s) the user is in. Same for the device. Query on the backend from most privilege to least. Most specific (User, Device), then (User, Device Group), (UserGroup, device), and finally (UserGroup, DeviceGroup). First most-specific match wins.
You could ostensibly have an employee joe who is a network admin, so he gets cisco:shell-level=15 in each set of devices, but the last time he touched the core route reflectors, he broke the world, so you then define a privilege record (in LDAP) that specifically has (Joe, NoAccess).
-- Coy Hile coy.hile@coyhile.com
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html