How to handle multiple NAS's, auth requirements, etc.
Hello, so for the BASIC question! First, is there any docs that explain the concepts of how all the various pieces of FR tie together? I've read a bunch of stuff and am making some headway, but some of the architecture and process flow still escapes me. If I can gain a better understanding of the internals I could probably resolve most of my own questions and better contribute to the community as well! Now, the question: We have various environments that need to authenticate and authorize using FR: VPN connections with something like (if member of "VPNGroup" then permit, else deny); vty login to network gear with (if member of "NetEngGroup" then permit, else deny); and 802.1x with dynamic VLAN assignment. I plan to use ntlm_auth for all of these to hit AD on the backend. The problem I'm having is grasping how I can do this? Do I need separate instances of FR? A bunch of "if then/else" clauses somewhere? How does FR know what type of auth is required? Am I making this more complicated than it really is? TIA for the help! In the mean time I'll keep reading and playing! Gary <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
Sorry! s/so/sorry in OP!!!! ________________________________ From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.or g] On Behalf Of Gary Gatten Sent: Friday, August 21, 2009 10:34 AM To: FreeRadius users mailing list Subject: How to handle multiple NAS's, auth requirements, etc. Hello, so for the BASIC question! First, is there any docs that explain the concepts of how all the various pieces of FR tie together? I've read a bunch of stuff and am making some headway, but some of the architecture and process flow still escapes me. If I can gain a better understanding of the internals I could probably resolve most of my own questions and better contribute to the community as well! Now, the question: We have various environments that need to authenticate and authorize using FR: VPN connections with something like (if member of "VPNGroup" then permit, else deny); vty login to network gear with (if member of "NetEngGroup" then permit, else deny); and 802.1x with dynamic VLAN assignment. I plan to use ntlm_auth for all of these to hit AD on the backend. The problem I'm having is grasping how I can do this? Do I need separate instances of FR? A bunch of "if then/else" clauses somewhere? How does FR know what type of auth is required? Am I making this more complicated than it really is? TIA for the help! In the mean time I'll keep reading and playing! Gary "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
Hello, so for the BASIC question! First, is there any docs that explain the concepts of how all the various pieces of FR tie together?
Read the debug - it will tell you what server does when it starts and when it processes the request.
We have various environments that need to authenticate and authorize using FR: VPN connections with something like (if member of "VPNGroup" then permit, else deny); vty login to network gear with (if member of "NetEngGroup" then permit, else deny); and 802.1x with dynamic VLAN assignment. I plan to use ntlm_auth for all of these to hit AD on the backend.
The problem I'm having is grasping how I can do this? Do I need separate instances of FR?
No.
A bunch of "if then/else" clauses somewhere?
Yes, see man unlang. Configure AD in ldap module and use Ldap-Group to test membership.
How does FR know what type of auth is required?
If you configure ntlm_auth statement in mschap module it will use it. Read AD integration guide: http://deployingradius.com/documents/configuration/active_directory.html Ivan Kalik Kalik Informatika ISP
On 08/21/2009 11:33 AM, Gary Gatten wrote:
Hello, so for the BASIC question! First, is there any docs that explain the concepts of how all the various pieces of FR tie together? I’ve read a bunch of stuff and am making some headway, but some of the architecture and process flow still escapes me. If I can gain a better understanding of the internals I could probably resolve most of my own questions and better contribute to the community as well!
Now, the question:
We have various environments that need to authenticate and authorize using FR: VPN connections with something like (if member of “VPNGroup” then permit, else deny); vty login to network gear with (if member of “NetEngGroup” then permit, else deny); and 802.1x with dynamic VLAN assignment. I plan to use ntlm_auth for all of these to hit AD on the backend.
The problem I’m having is grasping how I can do this? Do I need separate instances of FR? A bunch of “if then/else” clauses somewhere? How does FR know what type of auth is required? Am I making this more complicated than it really is?
You'll want to assign users into a group. You have a lot of flexibility on how you do that. Probably the easiest way to manage things is using a SQL backend. You can declare groups and assign users to them in the SQL tables. Or you can dynamically decide a user is in a particular group based on a variety of factors and insert the group name into the request (use unlang for this) so the group test can see it. Or you can put someone in a group based on how they're connecting (e.g. from specific NAS's), these are called huntgroups. There is a HowTo on the wiki explaining how to do this with SQL. You do not need separate instances of FR. FR knows what type of auth to perform based on what the client sends and how you've set up the authentication section of the config. Basically each authentication module in priority order is given a chance to look at the request. If the module thinks it has enough information to process the request it does so. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
participants (3)
-
Gary Gatten -
Ivan Kalik -
John Dennis