"Mike May" <mmay3@nd.edu> wrote:
Hello everyone, is it possible to have NAS entries for a subnet, if so
could someone give me an example
raddb/clients.conf Alan DeKok. -- http://deployingradius.com <http://deployingradius.com/> - The web site of the book http://deployingradius.com/blog/ - The blog Thanks for example Alan, I thought it may be helpful for me to provide you some more information, I am not a Radius expert but have managed to keep a somewhat large client base using radius. I currently use the clients file to allow connections, but not to do any real authorization. Example of my clients file is below, this is only a small section as my radius servers handles modem pool, vpn, wireless, 802.1x etc and soon wired 802.1x. I use LDAP/ Kerberos as the authn backend I use huntgroup entries to point to matches in my users file see examples below. in the users file is where I am using ldaps.conf to connect to the directory servers, verifying what group the user is in and at the end authn to Kerberos store. After the authn I set some authz like Cisco-AVPair = "priv-lvl=15" used by Cisco routers and switches for network engineers who live in the proper LDAP group, here is where the problem is. PIX firewalls do not like me setting the priv lvl, and the reason is that the PIX will only accept authz from a tacacs server(it seems like). What I need to do is specify a "netauth" == NAS-IP-ADDRESS 192.168.20.0/23 subnet. Instead of "netauth" == NAS-IP-ADDRESS 192.168.20.15, this way I can use my users file and not set the Cisco priv lvl for those devices that live on the firewall subnets. Thank you for all your help Mike ========= clients.conf============================= #This are for network engineering devices (outside wireless and dialup) # 2/20/06 client 172.16.255.2/29 { secret shortname = devicenet-15 } client 172.16.240.0/20 { secret = shortname = devicenet-16 } client 172.17.240.0/20 { secret = shortname = devicenet-17 } client 172.18.240.0/20 { secret = shortname = devicenet-18 } client 172.19.240.0/20 { secret = shortname = devicenet-19 } client 172.20.240.0/20 { secret = shortname = devicenet-20 } client 172.21.240.0/20 { secret = shortname = devicenet-21 } client 172.22.240.0/20 { secret = shortname = devicenet-22 Huntgroups wireless-prime NAS-IP-Address == xxx.xxx.xxx.xxx wireless-backup NAS-IP-Address == xxx.xxx.xxx.xxx spam1 NAS-IP-Address == xxx.xxx.xxx.xxx spam2 NAS-IP-Address == xxx.xxx.xxx.xxx ciscovpnadmin NAS-IP-Address == xxx.xxx.xxx.xxx dialup8 NAS-IP-Address == xxx.xxx.xxx.xxx ciscovpnadmin2 NAS-IP-Address == xxx.xxx.xxx.xxx dialup9 NAS-IP-Address == xxx.xxx.xxx.xxx dialup10 NAS-IP-Address == xxx.xxx.xxx.xxx netautz NAS-Port-Type == "Virtual" netautz_fw NAS-IP-Address == xxxx netautz_fw1 NAS-IP-Address == xxxxx =================================================== Users file DEFAULT Huntgroup-Name == "netautz", Ldap-Group == ndeg6qr2, Autz-Type := ldap-vpn, Auth-Type := ldap-vpn Service-Type = 6, Cisco-AVPair = "priv-lvl=15", Fall-Through = Yes DEFAULT Huntgroup-Name == "netautz_fw", Ldap-Group == ndeg6qr2, Autz-Type := ldap-vpn, Auth-Type := ldap-vpn Service-Type = 6, Fall-Through = Yes DEFAULT Huntgroup-Name == "netautz_fw1", Ldap-Group == ndeg6qr2, Autz-Type := ldap-vpn, Auth-Type := ldap-vpn Service-Type = 6, Fall-Through = Yes # VPN Group Definition note please make additions at the begining of the stanza not the end DEFAULT Huntgroup-Name == "ciscovpnadmin", Hint =="NETENG", Ldap-Group == ndbx2jj5, Autz-Type := ldap-vpn, Auth-Type := ldap-vpn CVPN3000-IPSec-Banner1 = "Welcome to VPN group NETENG!", Class = "OU=neteng;", Fall-Through = No
"Mike May" <mmay3@nd.edu> wrote:
After the authn I set some authz like Cisco-AVPair = "priv-lvl=15" used by Cisco routers and switches for network engineers who live in the proper LDAP group, here is where the problem is. PIX firewalls do not like me setting the priv lvl, and the reason is that the PIX will only accept authz from a tacacs server(it seems like).
So.. don't specify that for the PIX firewall, *or* add it only for the non-PIX machines.
What I need to do is specify a "netauth" == NAS-IP-ADDRESS 192.168.20.0/23 subnet. Instead of "netauth" == NAS-IP-ADDRESS 192.168.20.15, this way I can use my users file and not set the Cisco priv lvl for those devices that live on the firewall subnets.
You can match IP's via regular expressions. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan DeKok -
Mike May