Limiting user accounts for specific devices
We have a bunch of HP switches that we're using radius authentication on to configure. Our freeradius server is configured to grab users from an active directory server. We want to be able to only allow a single user account to be able to have rights to login to these switches so if any other account is used it should be denied access. I have to be able to pull this information from AD so that the user password can be changed quickly by someone not familiar with configuring radius. Later on we're going to use this same radius server to authenticate wireless access so it would need to be set per IP address or range only for the limits so that the other users in AD can be used for that. I'm thinking there is a way to do this in clients.conf but haven't found anything so far in my research. Here's an example client we have in our clients.conf: client 10.0.0.251 { secret = xxxxx shortname = NOC_5308 } Any help would be greatly appreciated. Thanks, Jared
On Fri, Dec 3, 2010 at 7:24 AM, Garber, Neal <Neal.Garber@iberdrolausa.com>wrote:
so it would need to be set per IP address or range only for the limits so that the other users in AD can be used for that
Have you thought about using huntgroups to group your NAS together and then authorize based upon Huntgroup-Name?
If you set the client shortname in your clients file to the same value for all the same "types" of switches you can do that as well. That's what we do since we are using Dynamic Groups and using the client-shortname for auth: In our users file: DEFAULT Client-Shortname == "CiscoSwitch", Ldap-Group == "cn=SwitchAccess,o=Identities" Service-Type = "Login-User", Idle-Timeout = 600
participants (3)
-
Garber, Neal -
JARED HOOVER -
Peter Lambrechtsen