Hi everybody! I'm a new subcriber of this list. I'm trying to setup a radius server with LDAP authentication; I've managed to authenticate a user (from a Cisco Device), but my fellows from Security Department think that we should have a two-step authentication: 1. User/password authentication, searching in cn=users,ou=pepe,ou=jose,c=es 2. A compare request, searching a specific objectclass in the LDAP tree. So, the idea is the following one: depending on the NAS-IP-Address, not only to check for a correct password, but search the uid in an objectclass called owner in the entry cn=deviceX,ou=pepe,ou=jose,c=es. deviceX is the one with the source NAS-IP-Address. I Know how to unlang using swicht statements, configuring differents ldap's modules in the radius server, so I can write the basedn I want. But how can do the step 2? Thank you and sorry for my english.
In article <BAY154-w6AE2B5874B5015E85E875C07A0@phx.gbl> you wrote:
I'm a new subcriber of this list. I'm trying to setup a radius server with LDAP authentication; I've managed to authenticate a user (from a Cisco Device), but my fellows from Security Department think that we should have a two-step authentication:
Ask your security folk for *today* a list of people who may only administrator one selection of devices and not the other. If they actually do not use the facility then it is a waste of time implementing it (it is easy enough to implement later on); I get the impression this is a "not needed but would be nice if this could be done". :) Far more appropriate is to configure the switches to all log to a central syslog server (so you know who and when someone logged in and out) and configure something like RANCID to record the configuration changes. ...anyway, onto the problem.
1. User/password authentication, searching in cn=users,ou=pepe,ou=jose,c=es
2. A compare request, searching a specific objectclass in the LDAP tree.
So, the idea is the following one: depending on the NAS-IP-Address, not only to check for a correct password, but search the uid in an objectclass called owner in the entry cn=deviceX,ou=pepe,ou=jose,c=es.
deviceX is the one with the source NAS-IP-Address. I Know how to unlang using swicht statements, configuring differents ldap's modules in the radius server, so I can write the basedn I want.
But how can do the step 2?
The easiest approach is to create LDAP groups based on the NAS-IP-Address and then test to see if the user is a member of the group '%{NAS-IP-Address}'. Once you create the LDAP groups and make the users members of them you can use unlang in your 'authorize' section in a manner like: authorize { .... ldap if (Ldap-Group != "%{NAS-IP-Address}") { update reply { Reply-Message := "no way kiddo" } reject } ,,,, } This is off the top of my head but should give you what you are looking for; you will see in the output of 'freeradius -X' it doing what you roughly need. The only problem I can see with it is that if you have a lot of switches to log into, the number of groups you have to add a user to becomes a real tedious process; this problem could be solved by using something like the following instead: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg59481.h... http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg62699.h... Cheers -- Alexander Clouter .sigmonster says: I hate quotations. -- Ralph Waldo Emerson
participants (2)
-
Alexander Clouter -
Juan Rodríguez