NAS login class to RADIUS authenticated ldap users
Hello I need to map ldap authenticated (389directory) users to juniper nas local accounts that all have different access rights. I clearly run the ldap module, and do a group search to verify a user can access based on group. Is it possible to take the group the ldap module finds and map it to a same named account on the juniper nas ? I want to avoid using the remote user id on the juniper nas with the access class that I assign, and instead use the different accounts on the juniper nas which are different access levels: user-ro user-op user-su I have not messed with the git pulled 3.0.14 config files other than ldap, clients.conf and users file. See radiusd -X below for run info. In my users file I have: DEFAULT LDAP-Group == "admins", Auth-Type := Accept Junipers instructions are as follow, which I have tried: In this example a freeradius server is used (more info about freeradius at http://freeradius.org/). The following users are configured in the file /etc/freeradius/users on the freeradius server: tom Cleartext-Password := "tom123" Service-Type = Login-User, Juniper-Local-User-Name := "readonly-users", jerry Cleartext-Password := "jerry123" Service-Type = Login-User, Juniper-Local-User-Name := "super-users", The VSA (vendor specific attribute) "Juniper-Local-User-Name" is used here. This VSA is already present in file /usr/share/freeradius/dictionary.juniper by default and does not need to be configured. On the radius server in file /etc/freeradius/clients.conf the radius secret and client IP address (in this case 0/0, so any IP address) is configured like this example: client 0/0 { secret = juniper shortname = JUNOS-devices } Thank you FreeRADIUS Version 3.0.14 Copyright (C) 1999-2017 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/local/share/freeradius/dictionary including dictionary file /usr/local/share/freeradius/dictionary.dhcp including dictionary file /usr/local/share/freeradius/dictionary.vqp including dictionary file /etc/raddb/dictionary including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/mods-enabled/ including configuration file /etc/raddb/mods-enabled/passwd including configuration file /etc/raddb/mods-enabled/echo including configuration file /etc/raddb/mods-enabled/cache_eap including configuration file /etc/raddb/mods-enabled/soh including configuration file /etc/raddb/mods-enabled/files including configuration file /etc/raddb/mods-enabled/dynamic_clients including configuration file /etc/raddb/mods-enabled/sradutmp including configuration file /etc/raddb/mods-enabled/realm including configuration file /etc/raddb/mods-enabled/always including configuration file /etc/raddb/mods-enabled/attr_filter including configuration file /etc/raddb/mods-enabled/ntlm_auth including configuration file /etc/raddb/mods-enabled/dhcp including configuration file /etc/raddb/mods-enabled/linelog including configuration file /etc/raddb/mods-enabled/radutmp including configuration file /etc/raddb/mods-enabled/utf8 including configuration file /etc/raddb/mods-enabled/detail.log including configuration file /etc/raddb/mods-enabled/unpack including configuration file /etc/raddb/mods-enabled/expr including configuration file /etc/raddb/mods-enabled/chap including configuration file /etc/raddb/mods-enabled/date including configuration file /etc/raddb/mods-enabled/eap including configuration file /etc/raddb/mods-enabled/logintime including configuration file /etc/raddb/mods-enabled/ldap including configuration file /etc/raddb/mods-enabled/pap including configuration file /etc/raddb/mods-enabled/replicate including configuration file /etc/raddb/mods-enabled/digest including configuration file /etc/raddb/mods-enabled/preprocess including configuration file /etc/raddb/mods-enabled/mschap including configuration file /etc/raddb/mods-enabled/exec including configuration file /etc/raddb/mods-enabled/detail including configuration file /etc/raddb/mods-enabled/unix including configuration file /etc/raddb/mods-enabled/expiration including files in directory /etc/raddb/policy.d/ including configuration file /etc/raddb/policy.d/abfab-tr including configuration file /etc/raddb/policy.d/operator-name including configuration file /etc/raddb/policy.d/debug including configuration file /etc/raddb/policy.d/accounting including configuration file /etc/raddb/policy.d/moonshot-targeted-ids including configuration file /etc/raddb/policy.d/filter including configuration file /etc/raddb/policy.d/dhcp including configuration file /etc/raddb/policy.d/eap including configuration file /etc/raddb/policy.d/canonicalization including configuration file /etc/raddb/policy.d/cui including configuration file /etc/raddb/policy.d/control including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/default main { security { allow_core_dumps = no } name = "radiusd" prefix = "/usr/local" localstatedir = "/usr/local/var" logdir = "/var/log" run_dir = "/usr/local/var/run/radiusd" } main { name = "radiusd" prefix = "/usr/local" localstatedir = "/usr/local/var" sbindir = "/usr/local/sbin" logdir = "/var/log" run_dir = "/usr/local/var/run/radiusd" libdir = "/usr/local/lib" radacctdir = "/var/log/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/usr/local/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client scinet-login-node { ipaddr = 10.1.4.46 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client mx480-nal-g04-1 { ipaddr = 10.10.0.10 require_message_authenticator = no secret = <<< secret >>> nas_type = "juniper" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client mx480-Albany-3036 { ipaddr = 10.50.0.11 require_message_authenticator = no secret = <<< secret >>> nas_type = "juniper" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client QFX5100-ALB-NWF1-IDF-1 { ipaddr = 10.0.60.1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client QFX5100-ALB-Rm3034-1 { ipaddr = 10.0.66.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "juniper" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client mx960-ames-core1 { ipaddr = 10.10.0.11 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client mlxe16-CC-131-1 { ipaddr = 10.20.0.11 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client mlx8e-SV-07 { ipaddr = 10.30.0.11 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client mlxe16-ftc-3020-1 { ipaddr = 10.40.0.11 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client SRX550-FTC-SCInet-Rm3020-1 { ipaddr = 10.150.0.2 require_message_authenticator = no secret = <<< secret >>> nas_type = "juniper" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached # Creating Auth-Type = mschap # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP # Creating Auth-Type = digest radiusd: #### Instantiating modules #### modules { # Loaded module rlm_passwd # Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_exec # Loading module "echo" from file /etc/raddb/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loaded module rlm_cache # Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_soh # Loading module "soh" from file /etc/raddb/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_files # Loading module "files" from file /etc/raddb/mods-enabled/files files { filename = "/etc/raddb/mods-config/files/authorize" acctusersfile = "/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy" } # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients # Loaded module rlm_radutmp # Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_realm # Loading module "IPASS" from file /etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_always # Loading module "reject" from file /etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_dhcp # Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp # Loaded module rlm_linelog # Loading module "linelog" from file /etc/raddb/mods-enabled/linelog linelog { filename = "/var/log/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog linelog log_accounting { filename = "/var/log/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp radutmp { filename = "/var/log/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_utf8 # Loading module "utf8" from file /etc/raddb/mods-enabled/utf8 # Loaded module rlm_detail # Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_unpack # Loading module "unpack" from file /etc/raddb/mods-enabled/unpack # Loaded module rlm_expr # Loading module "expr" from file /etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_chap # Loading module "chap" from file /etc/raddb/mods-enabled/chap # Loaded module rlm_date # Loading module "date" from file /etc/raddb/mods-enabled/date date { format = "%b %e %Y %H:%M:%S %Z" utc = no } # Loaded module rlm_eap # Loading module "eap" from file /etc/raddb/mods-enabled/eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_logintime # Loading module "logintime" from file /etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_ldap # Loading module "ldap" from file /etc/raddb/mods-enabled/ldap ldap { server = "10.1.0.9" identity = "cn=Directory Manager" password = <<< secret >>> sasl { } user { scope = "sub" access_positive = yes sasl { } } group { filter = "(objectClass=posixGroup)" scope = "sub" name_attribute = "cn" membership_attribute = "memberOf" membership_filter = "(memberof=%{control:Ldap-UserDn})(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))" cacheable_name = no cacheable_dn = no } client { filter = "(objectClass=radiusClient)" scope = "sub" base_dn = "cn=users,cn=accounts,dc=scinet,dc=ars,dc=usda,dc=gov" } profile { } options { ldap_debug = 40 chase_referrals = yes rebind = yes net_timeout = 1 res_timeout = 10 srv_timelimit = 3 idle = 60 probes = 3 interval = 3 } tls { start_tls = no } } Creating attribute LDAP-Group # Loaded module rlm_pap # Loading module "pap" from file /etc/raddb/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_replicate # Loading module "replicate" from file /etc/raddb/mods-enabled/replicate # Loaded module rlm_digest # Loading module "digest" from file /etc/raddb/mods-enabled/digest # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups" hints = "/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_mschap # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loading module "exec" from file /etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loading module "detail" from file /etc/raddb/mods-enabled/detail detail { filename = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_unix # Loading module "unix" from file /etc/raddb/mods-enabled/unix unix { radwtmp = "/var/log/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_expiration # Loading module "expiration" from file /etc/raddb/mods-enabled/expiration instantiate { } # Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "files" from file /etc/raddb/mods-enabled/files reading pairlist file /etc/raddb/mods-config/files/authorize reading pairlist file /etc/raddb/mods-config/files/accounting reading pairlist file /etc/raddb/mods-config/files/pre-proxy # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm # Instantiating module "reject" from file /etc/raddb/mods-enabled/always # Instantiating module "fail" from file /etc/raddb/mods-enabled/always # Instantiating module "ok" from file /etc/raddb/mods-enabled/always # Instantiating module "handled" from file /etc/raddb/mods-enabled/always # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always # Instantiating module "noop" from file /etc/raddb/mods-enabled/always # Instantiating module "updated" from file /etc/raddb/mods-enabled/always # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" ca_file = "/etc/raddb/certs/ca.pem" private_key_password = <<< secret >>> dh_file = "/etc/raddb/certs/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime # Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap rlm_ldap: libldap vendor: OpenLDAP, version: 20440 accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" } post-auth { reference = "." } rlm_ldap (ldap): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 spread = no } rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://10.1.0.9:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots used rlm_ldap (ldap): Connecting to ldap://10.1.0.9:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots used rlm_ldap (ldap): Connecting to ldap://10.1.0.9:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots used rlm_ldap (ldap): Connecting to ldap://10.1.0.9:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots used rlm_ldap (ldap): Connecting to ldap://10.1.0.9:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /etc/raddb/mods-config/preprocess/hints # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail # Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf } # server server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} Ignoring "sql" (see raddb/mods-available/README.rst) # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /etc/raddb/sites-enabled/inner-tunnel:331 } # server inner-tunnel server default { # from file /etc/raddb/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } listen { type = "auth" ipaddr = 10.1.0.150 port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 60 } } listen { type = "acct" ipaddr = 10.1.0.150 port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on auth address 10.1.0.150 port 1812 bound to server default Listening on acct address 10.1.0.150 port 1813 bound to server default Listening on proxy address * port 51049 Ready to process requests 1) Received Access-Request Id 70 from 10.10.0.10:51639 to 10.1.0.150:1812 length 112 (1) User-Name = "darrain.waters-admin" (1) User-Password = "*" (1) NAS-Identifier = "mx480-nal-g04-1" (1) Calling-Station-Id = "10.99.99.10" (1) NAS-IP-Address = 192.168.0.1 (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) auth_log: EXPAND /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (1) auth_log: --> /var/log/radacct/10.10.0.10/auth-detail-20170624 (1) auth_log: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/10.10.0.10/auth-detail-20170624 (1) auth_log: EXPAND %t (1) auth_log: --> Sat Jun 24 16:46:10 2017 (1) [auth_log] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "darrain.waters-admin", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: No EAP-Message, not doing EAP (1) [eap] = noop rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 79 seconds rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 79 seconds rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 79 seconds rlm_ldap (ldap): Reserved connection (0) (1) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (1) ldap: --> (uid=darrain.waters-admin) (1) ldap: Performing search in "cn=users,cn=accounts,dc=scinet,dc=ars,dc=usda,dc=gov" with filter "(uid=darrain.waters-admin)", scope "sub" (1) ldap: Waiting for search result... (1) ldap: User object found at DN "uid=darrain.waters-admin,cn=users,cn=accounts,dc=scinet,dc=ars,dc=usda,dc=gov" (1) ldap: Processing user attributes (1) ldap: control:Password-With-Header += '{SSHA}xOm2VtJIOjqbxdDvam0B27+oqrLsRiBxfVZyaw==' rlm_ldap (ldap): Released connection (0) Need 7 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (6), 1 of 29 pending slots used rlm_ldap (ldap): Connecting to ldap://10.1.0.9:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (1) [ldap] = updated (1) files: Searching for user in group "admins" rlm_ldap (ldap): Reserved connection (5) (1) files: Using user DN from request "uid=darrain.waters-admin,cn=users,cn=accounts,dc=scinet,dc=ars,dc=usda,dc=gov" (1) files: Checking for user in group objects (1) files: EXPAND (&(cn=admins)(objectClass=posixGroup)(memberof=%{control:Ldap-UserDn})(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) (1) files: --> (&(cn=admins)(objectClass=posixGroup)(memberof=uid\3ddarrain.waters-admin\2ccn\3dusers\2ccn\3daccounts\2cdc\3dscinet\2cdc\3dars\2cdc\3dusda\2cdc\3dgov)(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3ddarrain.waters-admin\2ccn\3dusers\2ccn\3daccounts\2cdc\3dscinet\2cdc\3dars\2cdc\3dusda\2cdc\3dgov))) (1) files: Performing search in "cn=users,cn=accounts,dc=scinet,dc=ars,dc=usda,dc=gov" with filter "(&(cn=admins)(objectClass=posixGroup)(memberof=uid\3ddarrain.waters-admin\2ccn\3dusers\2ccn\3daccounts\2cdc\3dscinet\2cdc\3dars\2cdc\3dusda\2cdc\3dgov)(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3ddarrain.waters-admin\2ccn\3dusers\2ccn\3daccounts\2cdc\3dscinet\2cdc\3dars\2cdc\3dusda\2cdc\3dgov)))", scope "sub" (1) files: Waiting for search result... (1) files: Search returned no results (1) files: Checking user object's memberOf attributes (1) files: Performing unfiltered search in "uid=darrain.waters-admin,cn=users,cn=accounts,dc=scinet,dc=ars,dc=usda,dc=gov", scope "base" (1) files: Waiting for search result... (1) files: Processing memberOf value "cn=admins,cn=groups,cn=accounts,dc=scinet,dc=ars,dc=usda,dc=gov" as a DN (1) files: Resolving group DN "cn=admins,cn=groups,cn=accounts,dc=scinet,dc=ars,dc=usda,dc=gov" to group name (1) files: Performing unfiltered search in "cn=admins,cn=groups,cn=accounts,dc=scinet,dc=ars,dc=usda,dc=gov", scope "base" (1) files: Waiting for search result... (1) files: Group DN "cn=admins,cn=groups,cn=accounts,dc=scinet,dc=ars,dc=usda,dc=gov" resolves to name "admins" (1) files: User found in group "admins". Comparison between membership: name (resolved from DN "cn=admins,cn=groups,cn=accounts,dc=scinet,dc=ars,dc=usda,dc=gov"), check: name rlm_ldap (ldap): Released connection (5) (1) files: users: Matched entry DEFAULT at line 72 (1) [files] = ok (1) [expiration] = noop (1) [logintime] = noop (1) pap: Converted: &control:Password-With-Header -> &control:SSHA1-Password (1) pap: Removing &control:Password-With-Header (1) pap: Normalizing SSHA1-Password from base64 encoding, 40 bytes -> 28 bytes (1) pap: WARNING: Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = Accept (1) Auth-Type = Accept, accepting the user (1) # Executing section post-auth from file /etc/raddb/sites-enabled/default (1) post-auth { (1) update { (1) No attributes updated (1) } # update = noop (1) [exec] = noop (1) policy remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) { (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else { (1) [noop] = noop (1) } # else = noop (1) } # policy remove_reply_message_if_eap = noop (1) } # post-auth = noop (1) Sent Access-Accept Id 70 from 10.1.0.150:1812 to 10.10.0.10:51639 length 0 (1) Finished request Waking up in 4.9 seconds. (1) Cleaning up request packet ID 70 with timestamp +79
On Jun 24, 2017, at 5:53 PM, Darrain Waters <dwaters@bioteam.net> wrote:
I need to map ldap authenticated (389directory) users to juniper nas local accounts that all have different access rights. I clearly run the ldap module, and do a group search to verify a user can access based on group. Is it possible to take the group the ldap module finds and map it to a same named account on the juniper was ?
I'm not really sure what that means...
I want to avoid using the remote user id on the juniper nas with the access class that I assign, and instead use the different accounts on the juniper nas which are different access levels:
user-ro user-op user-su
Could you describe what you want to do using examples... i.e. what a user types when they login to the Juniper box, what's in the Access-Request, and what you want to be in the Access-Accept. i.e. In order to configure it, you need to know what you want it to do. Once your requirements are written down, the solutions are usually pretty straightforward.
I have not messed with the git pulled 3.0.14 config files other than ldap, clients.conf and users file. See radiusd -X below for run info. In my users file I have:
DEFAULT LDAP-Group == "admins", Auth-Type := Accept
That lets users log in without doing password checks. This is likely not what you want.
Junipers instructions are as follow, which I have tried:
Do those instructions work? If so, make small modifications to change them to do what you want. Alan DeKok.
AD: I'm not really sure what that means... I can see where it is not clear. AD: Could you describe what you want to do using examples... i.e. what a user types when they login to the Juniper box, what's in the Access-Request, and what you want to be in the Access-Accept. I would like to map the group "admins" in the ldap directory, to the super-user account "admin-su" on a Juniper NAS. Likewise, map a directory group "net-ro" to the read-only account "admin-ro" on a juniper nas. When a user attempts to log into a nas with ldap account, the request goes to radius which looks up the user group membership & password. If the ldap user belongs to group "admins" in the ldap directory, the user is granted super-user rights via admin-su account on the juniper nas. If a user attempts juniper nas login, and belongs to ldap "net-ro" group they are given "admin-ro" read-only access to the juniper nas. I can log into the juniper nas with my ldap user and pass, but the Juniper has an account known as "remote" that catches all requests. The "remote" account is unique and only allows 1 type of user access at a time. So, if I want to grant different users su or ro access to the nas, I can't in this scenario. AD: That lets users log in without doing password checks. This is likely not what you want. You are right, I do not want to allow user access without a password. I have removed DEFAULT LDAP-Group == "admins", Auth-Type := Accept & replaced with DEFAULT LDAP-Group == "users", Auth-Type := Reject. I did this just to keep regular users fro being able to access the nas with their ldap user and pass. AD: Do those instructions work? If so, make small modifications to change them to do what you want. The Juniper instructions do not work and are probably old, though they came from a recently dated post. Thank you. Darrain On Sat, Jun 24, 2017 at 10:05 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Jun 24, 2017, at 5:53 PM, Darrain Waters <dwaters@bioteam.net> wrote:
I need to map ldap authenticated (389directory) users to juniper nas
local
accounts that all have different access rights. I clearly run the ldap module, and do a group search to verify a user can access based on group. Is it possible to take the group the ldap module finds and map it to a same named account on the juniper was ?
I'm not really sure what that means...
I want to avoid using the remote user id on the juniper nas with the access class that I assign, and instead use the different accounts on the juniper nas which are different access levels:
user-ro user-op user-su
Could you describe what you want to do using examples... i.e. what a user types when they login to the Juniper box, what's in the Access-Request, and what you want to be in the Access-Accept.
i.e. In order to configure it, you need to know what you want it to do. Once your requirements are written down, the solutions are usually pretty straightforward.
I have not messed with the git pulled 3.0.14 config files other than ldap, clients.conf and users file. See radiusd -X below for run info. In my users file I have:
DEFAULT LDAP-Group == "admins", Auth-Type := Accept
That lets users log in without doing password checks. This is likely not what you want.
Junipers instructions are as follow, which I have tried:
Do those instructions work? If so, make small modifications to change them to do what you want.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Jun 25, 2017, at 1:10 AM, Darrain Waters <dwaters@bioteam.net> wrote:
I would like to map the group "admins" in the ldap directory, to the super-user account "admin-su" on a Juniper NAS. Likewise, map a directory group "net-ro" to the read-only account "admin-ro" on a juniper nas.
OK.
When a user attempts to log into a nas with ldap account, the request goes to radius which looks up the user group membership & password. If the ldap user belongs to group "admins" in the ldap directory, the user is granted super-user rights via admin-su account on the juniper nas. If a user attempts juniper nas login, and belongs to ldap "net-ro" group they are given "admin-ro" read-only access to the juniper nas.
That's clearer. So write that down as a series of statements and if / then / else checks: * when a user logs into the NAS, they do so with a name X, and password Y * that information is sent to FreeRADIUS in an Access-Request * FreeRADIUS checks to see if that name / password is OK, and rejects them if it's not OK. * if they are accepted, FreeRADIUS looks up their group information in LDAP * if they are in LDAP group "admins", FreeRADIUS should respond with Juniper-Local-User-Name = "admin-us" * else if they are in LDAP group "net-ro", FreeRADIUS should respond with Juniper-Local-User-Name = "admin-ro" Then, implement it piece by piece. Get LDAP authentication working. Then, get LDAP group checking working. That's done via the LDAP-Group attribute... You'll want to put the Juniper-Local-User-Name into the "post-auth" section, as that is run only after a user is authenticated. if (LDAP-Group == admins) { update reply { Juniper-Local-User-Name := "admin-us" } } You'll see that once you get the problem stated clearly, you can map that pretty directly into the FreeRADIUS configuration. Alan DeKok.
Strange things happen when you slow it down and map your thoughts :). I did have an elsif in the users file that clearly did not work based on location. Thanks very much for having a look at my question Alan. Best Darrain On Sun, Jun 25, 2017 at 7:41 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Jun 25, 2017, at 1:10 AM, Darrain Waters <dwaters@bioteam.net> wrote:
I would like to map the group "admins" in the ldap directory, to the super-user account "admin-su" on a Juniper NAS. Likewise, map a directory group "net-ro" to the read-only account "admin-ro" on a juniper nas.
OK.
When a user attempts to log into a nas with ldap account, the request goes to radius which looks up the user group membership & password. If the ldap user belongs to group "admins" in the ldap directory, the user is granted super-user rights via admin-su account on the juniper nas. If a user attempts juniper nas login, and belongs to ldap "net-ro" group they are given "admin-ro" read-only access to the juniper nas.
That's clearer. So write that down as a series of statements and if / then / else checks:
* when a user logs into the NAS, they do so with a name X, and password Y
* that information is sent to FreeRADIUS in an Access-Request
* FreeRADIUS checks to see if that name / password is OK, and rejects them if it's not OK.
* if they are accepted, FreeRADIUS looks up their group information in LDAP
* if they are in LDAP group "admins", FreeRADIUS should respond with Juniper-Local-User-Name = "admin-us"
* else if they are in LDAP group "net-ro", FreeRADIUS should respond with Juniper-Local-User-Name = "admin-ro"
Then, implement it piece by piece. Get LDAP authentication working. Then, get LDAP group checking working. That's done via the LDAP-Group attribute...
You'll want to put the Juniper-Local-User-Name into the "post-auth" section, as that is run only after a user is authenticated.
if (LDAP-Group == admins) { update reply { Juniper-Local-User-Name := "admin-us" } }
You'll see that once you get the problem stated clearly, you can map that pretty directly into the FreeRADIUS configuration.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
participants (2)
-
Alan DeKok -
Darrain Waters