FreeRadius - Cisco - Different privileges levels based on source device sending the Access-Request.
Hi everyone. We are currently experimenting with Radius and are looking to find a way to change the privilege levels when logging into a certain class of devices(and only these ones). Right now, we have the following setup. 1. Users attempts to log into a Cisco radius enable device. 2. Device starts the auth process with an Access-Request. 3. Freeradius checks the LDAP/FreeIPA backend and sends the reply with the VSA "“cisco-avpair" for the correct privilege level based on LDAP group membership. This works great but I'm looking for a way to change the returned privilege level based on the source device. Is there a way that the Access-Request can send additional attributes like hostnames, IOS versions or anything specific to the end device where the auth attempts starts? There are ways that the privilege level can match different permissions but those change means that each device will need to have the correct local configuration and I'd rather manage everything centrally ideally. Thank you!
On Jun 14, 2018, at 8:01 PM, Laurent Dumont <ldumont@northernsysadmin.com> wrote:
Hi everyone.
We are currently experimenting with Radius and are looking to find a way to change the privilege levels when logging into a certain class of devices(and only these ones). Right now, we have the following setup.
1. Users attempts to log into a Cisco radius enable device. 2. Device starts the auth process with an Access-Request. 3. Freeradius checks the LDAP/FreeIPA backend and sends the reply with the VSA "“cisco-avpair" for the correct privilege level based on LDAP group membership.
That’s exactly how I would implement it. Based on a tuple (user, Device) or (userGroup, DeviceGroup), the LDAP server knows based on group memberships which user group(s) the user is in. Same for the device. Query on the backend from most privilege to least. Most specific (User, Device), then (User, Device Group), (UserGroup, device), and finally (UserGroup, DeviceGroup). First most-specific match wins. You could ostensibly have an employee joe who is a network admin, so he gets cisco:shell-level=15 in each set of devices, but the last time he touched the core route reflectors, he broke the world, so you then define a privilege record (in LDAP) that specifically has (Joe, NoAccess). -- Coy Hile coy.hile@coyhile.com
This is exactly how I deployed it in my previous employer. I had a structure in LDAP for the source IP address so we mapped L aka location attribute in ldap the source IP to "Client shortname" and that was used to identify the element type. Then we did a search based on the user full DN in Group membership and "L" attribute to find out which group they were a part of. Then set an control attribute like tmp-string-0 as the element type and role or similar and log that to linelog so you know what role they were assigned when they got access I always intended to write up a blog post about how to do this as a cookbook. I really should do that sometime. On Fri, Jun 15, 2018 at 12:36 PM, Coy Hile <coy.hile@coyhile.com> wrote:
On Jun 14, 2018, at 8:01 PM, Laurent Dumont < ldumont@northernsysadmin.com> wrote:
Hi everyone.
We are currently experimenting with Radius and are looking to find a way to change the privilege levels when logging into a certain class of devices(and only these ones). Right now, we have the following setup.
1. Users attempts to log into a Cisco radius enable device. 2. Device starts the auth process with an Access-Request. 3. Freeradius checks the LDAP/FreeIPA backend and sends the reply with the VSA "“cisco-avpair" for the correct privilege level based on LDAP group membership.
That’s exactly how I would implement it. Based on a tuple (user, Device) or (userGroup, DeviceGroup), the LDAP server knows based on group memberships which user group(s) the user is in. Same for the device. Query on the backend from most privilege to least. Most specific (User, Device), then (User, Device Group), (UserGroup, device), and finally (UserGroup, DeviceGroup). First most-specific match wins.
You could ostensibly have an employee joe who is a network admin, so he gets cisco:shell-level=15 in each set of devices, but the last time he touched the core route reflectors, he broke the world, so you then define a privilege record (in LDAP) that specifically has (Joe, NoAccess).
-- Coy Hile coy.hile@coyhile.com
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Laurent Dumont <ldumont@northernsysadmin.com> wrote:
Is there a way that the Access-Request can send additional attributes like hostnames, IOS versions or anything specific to the end device where the auth attempts starts?
There are various tweaks you can make that allow sending a few extra attributes. One is NAS-Identifier, and you can configure what it sends:
From the IOS docs:
radius-server attribute 32 include-in-access-req format cisco %h.%d %i ! The following string will be sent in attribute 32 (NAS-Identifier). "cisco router.nlab.cisco.com 10.0.1.67" ...this attribute is also VERY handy for logging purposes.
There are ways that the privilege level can match different permissions but those change means that each device will need to have the correct local configuration and I'd rather manage everything centrally ideally.
Failing the NAS-Identifier, the NAS-Port attribute may have a different format based on model. However, since these are admin logins, rather than network port access, the odds are low that you'd be able to use that without configuring something special on the special devices to alter the format of that attribute, which runs counter to your objective to keep your configs uniform to reduce your template load. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Brian Julin -
Coy Hile -
Laurent Dumont -
Peter Lambrechtsen