Any way to implement privileges-granting as I configure in 'users'
Hello, Currently I'm using 'users file to authorize users against login on our network device like Switches. e.g # /etc/raddb/users ...... h3c Cleartext-Password := "netadmin" Service-Type = NAS-Prompt-User, Huawei-Exec-Privilege = "3", Login-Service = 50 ...... But I want to intergrate it with FreeIPA( which provides a LDAP service), which brings the benefit of using one-time-password(see this https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_... ) Apparently it's easy to configure user's account, but is there any way to handle the privileges related stuff like 'Huawei-Exec-Privilege = "3",' in LDAP? And by the way, how is 'authenticate section' in 'site-enabled/default' called? I'm a littble bit confused. Can I say that 'authenticate section is useless and would NEVER be called unless I add "Auth-Type:= FOO" in the 'authorize section' ? I guess this from the comment of 'default' . Thanks,
firstly, no working auth-type (ie something in authenticate section) and auth packets will be rejected. no auths. as for using LDAP - just stick the values you want into the LDAP locations you want and then use those populated fields in the decision tree when responding - read the ldap module docs - its so flexible and used so differently by people that you need to just read/understand the basics and then you can engineer the solution to your requirements alan On 17 November 2017 at 09:15, luckydog xf <luckydogxf@gmail.com> wrote:
Hello,
Currently I'm using 'users file to authorize users against login on our network device like Switches.
e.g # /etc/raddb/users ...... h3c Cleartext-Password := "netadmin" Service-Type = NAS-Prompt-User, Huawei-Exec-Privilege = "3", Login-Service = 50 ......
But I want to intergrate it with FreeIPA( which provides a LDAP service), which brings the benefit of using one-time-password(see this https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_... )
Apparently it's easy to configure user's account, but is there any way to handle the privileges related stuff like 'Huawei-Exec-Privilege = "3",' in LDAP?
And by the way, how is 'authenticate section' in 'site-enabled/default' called? I'm a littble bit confused. Can I say that 'authenticate section is useless and
would NEVER be called unless I add "Auth-Type:= FOO" in the 'authorize section' ? I guess this from the comment of 'default' .
Thanks, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Nov 17, 2017, at 4:15 AM, luckydog xf <luckydogxf@gmail.com> wrote:
Currently I'm using 'users file to authorize users against login on our network device like Switches. ... But I want to intergrate it with FreeIPA( which provides a LDAP service), which brings the benefit of using one-time-password(see this https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_... )
Sure... one-time passwords don't always work, though. Specifically, with EAP / WiFi.
Apparently it's easy to configure user's account, but is there any way to handle the privileges related stuff like 'Huawei-Exec-Privilege = "3",' in LDAP?
Yes.
And by the way, how is 'authenticate section' in 'site-enabled/default' called? I'm a littble bit confused. Can I say that 'authenticate section is useless
Uh... no. It's there for a reason. If you read the comments in the configuration file, they will tell you what it does, and why it's used.
and
would NEVER be called unless I add "Auth-Type:= FOO" in the 'authorize section' ? I guess this from the comment of 'default' .
You "guess"? What part of the documentation requires guessing? Alan DeKok.
Hi, Could you give more hints about using One-Time-Password by LDAP? Thanks, And here comes the part of my guess, which is the comment of site-enabled/default ============= # Authentication. # # # This section lists which modules are available for authentication. # Note that it does NOT mean 'try each module in order'. It means # that a module from the 'authorize' section adds a configuration # attribute 'Auth-Type := FOO'. That authentication type is then # used to pick the appropriate module from the list below. # # In general, you SHOULD NOT set the Auth-Type attribute. The server # will figure it out on its own, and will do the right thing. The # most common side effect of erroneously setting the Auth-Type # attribute is that one authentication method will work, but the # others will not. # # The common reasons to set the Auth-Type attribute by hand # is to either forcibly reject the user (Auth-Type := Reject), # or to or forcibly accept the user (Auth-Type := Accept). # # Note that Auth-Type := Accept will NOT work with EAP. # # Please do not put "unlang" configurations into the "authenticate" # section. Put them in the "post-auth" section instead. That's what # the post-auth section is for. # authenticate { .... ======== On Fri, Nov 17, 2017 at 9:51 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Nov 17, 2017, at 4:15 AM, luckydog xf <luckydogxf@gmail.com> wrote:
Currently I'm using 'users file to authorize users against login on our network device like Switches. ... But I want to intergrate it with FreeIPA( which provides a LDAP service), which brings the benefit of using one-time-password(see this https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_ as_a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7 )
Sure... one-time passwords don't always work, though. Specifically, with EAP / WiFi.
Apparently it's easy to configure user's account, but is there any way to handle the privileges related stuff like 'Huawei-Exec-Privilege = "3",' in LDAP?
Yes.
And by the way, how is 'authenticate section' in 'site-enabled/default' called? I'm a littble bit confused. Can I say that 'authenticate section is useless
Uh... no. It's there for a reason. If you read the comments in the configuration file, they will tell you what it does, and why it's used.
and
would NEVER be called unless I add "Auth-Type:= FOO" in the 'authorize section' ? I guess this from the comment of 'default' .
You "guess"? What part of the documentation requires guessing?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
participants (3)
-
Alan Buxey -
Alan DeKok -
luckydog xf