different user perms for different clients
FreeRADIUS Version 3.0.7 Hello, I'm migrating to freeradius from Radiator, and the configuration files are very, very different, so I'm looking for some conceptual guidance, or some working examples. Essentially, I'm just not getting it when it comes to configuring a different list of users for each freeradius client. Not sure if I'm supposed to use huntgroups or features within client definitions. The background: We use Radius to authenticate access to Cisco switches (and some APC UPS devices). Our switches are mostly managed solely by a group of admins (users useraa, userbb, and usercc), and a user userdd with read-only access. Our Cisco switches are currently all statically listed as follows (in clients.conf): client coswe008 { ipv4addr = 10.79.161.102 secret = leauth nas_type = cisco } I have a file with our info configured in /etc/raddb/mods-enabled/passwd: passwd fss_passwd { filename = /usr/local/etc/raddb/fss-users.passwd delimiter = | format = "*User-Name:Crypt-Password:=Service-Type:=Cisco-AVPair:=APC-Service-Type" hash_size = 100 ignore_nislike = yes allow_multiple_keys = no } and the contents of fss-users.passwd: # File Format is (extra spaces around the '|' for ease of reading) # User-Name | Crypt-Password | Service-Type | Cisco-AVPair | APC-Service-Type useraa|OwdaaacZLaaaE|NAS-Prompt-User|shell:priv-lvl=15|Admin userbb|OwdbbbcZLbbbE|NAS-Prompt-User|shell:priv-lvl=15|Admin usercc|OwdccccZLcccE|NAS-Prompt-User|shell:priv-lvl=15|Admin userdd|OwddddcZLdddE|NAS-Prompt-User|shell:priv-lvl=1| and this works fine. What I'd like to be able to change, though, is for userdd to have admin access to two of our switches, and read access to all the rest. The essence of this question is how do I customize the user list for each client? Is it a huntgroup, or a conditional include in the clients.conf file? Thanks for what you can offer on this topic, pjc PS - is there an archive for this list that can be searched?
On May 6, 2015, at 8:52 PM, Pat Cain <moftsd@gmail.com> wrote:
Essentially, I'm just not getting it when it comes to configuring a different list of users for each freeradius client. Not sure if I'm supposed to use huntgroups or features within client definitions.
No. The users aren't tied to clients. The users are stored in a database. If you want to tie users to a client, you'll have to do that manually via unlang rules.
What I'd like to be able to change, though, is for userdd to have admin access to two of our switches, and read access to all the rest.
That's a good problem statement.
The essence of this question is how do I customize the user list for each client? Is it a huntgroup, or a conditional include in the clients.conf file?
You're looking for a database which contains a 2-d array of information. The columns are NASes. The rows are user names. Each entry is the admin level of the user. That can be done in SQL, or via the passwd module. See the etc_group module for examples. i.e. you can put admin users into a group, named for each NAS. Then, if the group name matches the NAS IP, the user has admin access. Otherwise, they have RO access.
PS - is there an archive for this list that can be searched?
Google. Alan DeKok.
On 07-05-15 15:30, Alan DeKok wrote:
On May 6, 2015, at 8:52 PM, Pat Cain <moftsd@gmail.com> wrote:
PS - is there an archive for this list that can be searched?
Google.
Or use the newsgroups from news.gmane.org, that way it's pretty easy to search with your favorite news reader. -- Herwin Weststrate
participants (3)
-
Alan DeKok -
Herwin Weststrate -
Pat Cain