How to allow specific group users only to auth
Hello Everyone, We have freeradius server with freeipa server backend for ldap authentication. Currently we able to use and login freeipa ldap accounts using freeradius, each every user available on freeipa ldap is able to login in all devices where ever we configured freeradius. Some of the devices like network devices we want to restricted only specific users (group users) are allowed to login. I a very new to this i tried but i am unable to figure out where should i mention/put restriction to check users group and allow to login. Thanks, Mohiddin.
check the LDAP group (make a group that is relevant for device login)...then for your kit you want to protect, create eg soem client definition for it and use unlang eg client 127.0.0.1 { ... ... netdevice = yes .. } if (&client:netdevice = yes && LDAP-Group != networkmgmt) { On 9 May 2018 at 17:35, Mohiddin Shaik <kms31786@gmail.com> wrote:
Hello Everyone,
We have freeradius server with freeipa server backend for ldap authentication.
Currently we able to use and login freeipa ldap accounts using freeradius, each every user available on freeipa ldap is able to login in all devices where ever we configured freeradius. Some of the devices like network devices we want to restricted only specific users (group users) are allowed to login.
I a very new to this i tried but i am unable to figure out where should i mention/put restriction to check users group and allow to login.
Thanks, Mohiddin. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ooops, typed enter on wrong focus... something like: (this is just speculative, written roughly down, untested.... if (&client:netdevice = yes && LDAP-Group != networkmgmt) { update control { Auth-Type := Reject } }
thx ;-) I was wondering if some web-site graphical policy manager that spat out the resulting unlang would be the thing to have :) alan
Hi Alan, Thanks for your quick help on this. I tried to put below command on client.conf /available/ldap, but no luck and comment out the line, i am not a master in this it will be really appreciated if you can help me on this. if (("%{client:netdevice}" == "yes") && LDAP-Group != networkmgmt) { reject } On Thu, May 10, 2018 at 12:03 AM, Alan Buxey <alan.buxey@gmail.com> wrote:
thx ;-)
I was wondering if some web-site graphical policy manager that spat out the resulting unlang would be the thing to have :)
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On May 10, 2018, at 5:26 AM, Mohiddin Shaik <kms31786@gmail.com> wrote:
I tried to put below command on client.conf /available/ldap, but no luck
It doesn't go there. If you run the server in debug mode, it will *tell you* that it doesn't go there. Put it into the "authorize" section, along with all of the other "if" statements. Alan DeKok.
participants (3)
-
Alan Buxey -
Alan DeKok -
Mohiddin Shaik