Device specific Access-Accept attributes and granular user group control
Hello -- I am running freeradius2-2.1.7 with MySQL as the backend datastore. I've got a deployment up and running supporting the admin login to about 200 switches from a single vendor. I'm looking to expand my deployment and thus some new requirements have surfaced. Requirements: - Different brands of gear should get different VSAs and/or general attributes returned in Access-Accept messages. For example, if I log in from a Cisco device, I should get a different RADIUS attribute sent back than when logging in from a F5 or a NetScreen. - Some users can log into certain groups of devices, others should not be able to I'm fairly certain the #2 requirement will require the user of huntgroups. Does anyone have any idea how to accomplish requirement #1? Thanks for your help in pointing me in the right direction.
This is how I did it using LDAP. http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-November/msg... I would recommend using LDAP over MySQL, as normally you would have a Corporate LDAP directory (Active Directory, or eDirectory or similar) and managing access to your Radius system from Groups based in the LDAP is a little easier than messing around with your MySQL database. But that's just me. On Fri, Feb 5, 2010 at 12:45 PM, Matt Hite <lists@beatmixed.com> wrote:
Hello --
I am running freeradius2-2.1.7 with MySQL as the backend datastore.
I've got a deployment up and running supporting the admin login to about 200 switches from a single vendor. I'm looking to expand my deployment and thus some new requirements have surfaced.
Requirements:
- Different brands of gear should get different VSAs and/or general attributes returned in Access-Accept messages. For example, if I log in from a Cisco device, I should get a different RADIUS attribute sent back than when logging in from a F5 or a NetScreen.
- Some users can log into certain groups of devices, others should not be able to
I'm fairly certain the #2 requirement will require the user of huntgroups. Does anyone have any idea how to accomplish requirement #1?
Thanks for your help in pointing me in the right direction. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Matt Hite wrote:
- Different brands of gear should get different VSAs and/or general attributes returned in Access-Accept messages. For example, if I log in from a Cisco device, I should get a different RADIUS attribute sent back than when logging in from a F5 or a NetScreen.
It's not well known, but the configuration files can be used as a simple database. Any "well formed" text will be accepted, and can be lookup up later. e.g.: client foo { ipaddr = ... secret = ... myfield = cisco .. } Then when processing a packet: if ("%{client:myfield}" == "cisco") { ... } You can define your own data, and put each device into it's own "group", simply by adding a field to each "client" entry. Then, return the appropriate attributes for each type of client.
- Some users can log into certain groups of devices, others should not be able to
Use the same thing, but also using "groups" for the users. client foo { ... class = foo } Then in a processing section (authorize, etc.) if ((Group == "limited") && ("%{client:class}" != "foo")) { reject } If you don't want "unix" groups, see "man rlm_passwd". Alan DeKok.
participants (3)
-
Alan DeKok -
Matt Hite -
Peter Lambrechtsen