Freeradius privilege separation
Hi! It is possible in freeradius to have one user who has full privilege level to one equipment (one cisco router privilege lvl15), and limited privilege level to other equipment (other router with smaller privilege e.g. lvl10 which will be configured on router)? How to separate it? My current configuration of users: mdopierala Auth-Type := PAP, Crypt-Password = "passwrd" Service-Type = "Administrative-User", Cisco-AVPair="shell:priv-lvl=15", Brocade-Auth-Role ="Administrator" and part of clienf.conf client 192.168.1.1 { secret = community shortname = router1 } client 192.168.1.2 { secret = community shortname = router2 } I'm waiting for response Michal Dopierala
On Thu, May 13, 2010 at 03:23:37PM +0200, Michał Dopierała wrote:
It is possible in freeradius to have one user who has full privilege level to one equipment (one cisco router privilege lvl15), and limited privilege level to other equipment (other router with smaller privilege e.g. lvl10 which will be configured on router)? How to separate it? My current configuration of users:
mdopierala Auth-Type := PAP, Crypt-Password = "passwrd" Service-Type = "Administrative-User", Cisco-AVPair="shell:priv-lvl=15", Brocade-Auth-Role ="Administrator"
Yes, just answer differently to each client (router) by assigning them to different virtual hosts. You can probably keep the authentication part in the users file if you want, but you can move the repetitive part of the authorization to unlang. Then your per-user attributes can be checked automatically with logic such as: if ("%{reply:Service-Type}" == "Login-User") { update reply { Cisco-AVPair = "shell:priv-lvl=1" } } elsif ("%{reply:Service-Type}" == "Administrative-User") { update reply { Cisco-AVPair = "shell:priv-lvl=15" } } else { reject } -- 2. That which causes joy or happiness.
Michał Dopierała wrote:
It is possible in freeradius to have one user who has full privilege level to one equipment (one cisco router privilege lvl15), and limited privilege level to other equipment (other router with smaller privilege e.g. lvl10 which will be configured on router)?
Yes.
How to separate it?
How are the requests different? Use that information to separate the policies for the two routers.
My current configuration of users:
mdopierala Auth-Type := PAP, Crypt-Password = "passwrd"
DON'T set Auth-Type. Honestly. This should be written in huge letters everywhere on all of the documentation.
Service-Type = "Administrative-User", Cisco-AVPair="shell:priv-lvl=15", Brocade-Auth-Role ="Administrator"
And it doesn't contain any *conditional* checks for different clients. You could do: mdopierala Packet-Src-IP-Address == 192.168.1.1, Cleartext-Password := ... ... i.e. check for NAS IP, and return different results based on that. Alan DeKok.
Thanks for response! So, users file can look like this: ========================users===================================== mdopierala Packet-Src-IP-Address == 192.168.1.1, Crypt-Password = "some_hash" Service-Type = "Administrative-User", Cisco-AVPair="shell:priv-lvl=15", Brocade-Auth-Role ="Administrator" mdopierala Packet-Src-IP-Address == 192.168.1.2, Crypt-Password = "some_hash2" Service-Type = "Administrative-User", Cisco-AVPair="shell:priv-lvl=1", Brocade-Auth-Role ="Administrator" ===================================================================== This way user mdopierala will have priv-lvl=15 to router1 and priv-lvl=1 to router2? I have a lot of users and clients in my environment(a lot of network equipments and administrators). Can I make any groups of this users and clients and then make policies to this groups? This way I could add new users to this groups apart from making separate policies. Unfortunately I work on producing environment and I can't make as many test as I wish. 2010/5/14 Alan DeKok <aland@deployingradius.com>
Michał Dopierała wrote:
It is possible in freeradius to have one user who has full privilege level to one equipment (one cisco router privilege lvl15), and limited privilege level to other equipment (other router with smaller privilege e.g. lvl10 which will be configured on router)?
Yes.
How to separate it?
How are the requests different? Use that information to separate the policies for the two routers.
My current configuration of users:
mdopierala Auth-Type := PAP, Crypt-Password = "passwrd"
DON'T set Auth-Type. Honestly. This should be written in huge letters everywhere on all of the documentation.
Service-Type = "Administrative-User", Cisco-AVPair="shell:priv-lvl=15", Brocade-Auth-Role ="Administrator"
And it doesn't contain any *conditional* checks for different clients.
You could do:
mdopierala Packet-Src-IP-Address == 192.168.1.1, Cleartext-Password := ... ...
i.e. check for NAS IP, and return different results based on that.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Michał Dopierała wrote:
Thanks for response!
So, users file can look like this:
Yes.
========================users=====================================
mdopierala Packet-Src-IP-Address == 192.168.1.1, Crypt-Password = "some_hash"
It's NOT a hash. It's a password.
This way user mdopierala will have priv-lvl=15 to router1 and priv-lvl=1 to router2?
Yes.
I have a lot of users and clients in my environment(a lot of network equipments and administrators). Can I make any groups of this users and clients and then make policies to this groups?
Yes. See "man rlm_passwd" for examples of making groups.
This way I could add new users to this groups apart from making separate policies. Unfortunately I work on producing environment and I can't make as many test as I wish.
If you don't test it, it won't work. Alan DeKok.
participants (3)
-
Alan DeKok -
Josip Rodin -
Michał Dopierała