Using Groups to Limit Authentication to Network Devices
I'm trying to setup freeradius to authenticate users via LDAP but pull group information via MySQL. I currently only need radius for authentication to network devices (switches, PDUs, etc) but want to make sure I set it up so that I don't shoot myself in the foot later. In trying to get the correct attributes assigned to a group I've noticed that I need to set Fall-Through on each group that a user belongs to in order to have later groups evaluated. Is there a better way that I can say something like, "this client should check for access from these groups" so that I only need to set Fall-Through on certain groups instead of all? -Doug
Hi Friend, I am new to Free radius server but I have worked on windows base RADIUS server. As I understood your requirement that u wanted to authenticate only switches & PDU, on basis of group belongs. For this below are some logic steps that could help you out. 1. Switches & PDu request should go to radius, for this you can try 802.1x configuration to redirect authentication to wards radius. 2. U should have radius configuration for authentication mechanism In this basis validity (e.g mac, name) & pl check while request coming towards radius should have an infortion abt grup details. for group in radius server should be connected to LDAP server where groups are configure. Also auth. mechanism for radius should contain check for "device belongs to which group" 3. client should have same configuration done for security, as the policies are set on radius server. On Fri, Mar 26, 2010 at 7:30 PM, Doug Warner <doug@warner.fm> wrote:
I'm trying to setup freeradius to authenticate users via LDAP but pull group information via MySQL. I currently only need radius for authentication to network devices (switches, PDUs, etc) but want to make sure I set it up so that I don't shoot myself in the foot later.
In trying to get the correct attributes assigned to a group I've noticed that I need to set Fall-Through on each group that a user belongs to in order to have later groups evaluated. Is there a better way that I can say something like, "this client should check for access from these groups" so that I only need to set Fall-Through on certain groups instead of all?
-Doug
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Regards, Prashant 9820527655
On Sat, Mar 27, 2010 at 3:00 AM, Doug Warner <doug@warner.fm> wrote:
I'm trying to setup freeradius to authenticate users via LDAP but pull group information via MySQL. I currently only need radius for authentication to network devices (switches, PDUs, etc) but want to make sure I set it up so that I don't shoot myself in the foot later.
In trying to get the correct attributes assigned to a group I've noticed that I need to set Fall-Through on each group that a user belongs to in order to have later groups evaluated. Is there a better way that I can say something like, "this client should check for access from these groups" so that I only need to set Fall-Through on certain groups instead of all?
Why not just use LDAP all together for your group based auth. This is how I do it and it works well, and doesn't need any schema extensions. http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-November/msg... Then all you have to do is modify the hostgroups & postauth_users file when you add new NAS's.
On 03/27/2010 01:46 AM, Peter Lambrechtsen wrote:
On Sat, Mar 27, 2010 at 3:00 AM, Doug Warner <doug@warner.fm <mailto:doug@warner.fm>> wrote:
I'm trying to setup freeradius to authenticate users via LDAP but pull group information via MySQL. I currently only need radius for authentication to network devices (switches, PDUs, etc) but want to make sure I set it up so that I don't shoot myself in the foot later.
In trying to get the correct attributes assigned to a group I've noticed that I need to set Fall-Through on each group that a user belongs to in order to have later groups evaluated. Is there a better way that I can say something like, "this client should check for access from these groups" so that I only need to set Fall-Through on certain groups instead of all?
Why not just use LDAP all together for your group based auth. This is how I do it and it works well, and doesn't need any schema extensions.
http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-November/msg...
Then all you have to do is modify the hostgroups & postauth_users file when you add new NAS's.
I don't have control over the LDAP server at all so I can't change what groups people are in. I think I've managed to get things working by setting up a huntgroup with the SQL-Group set to check that the user is in a specific group. I then have the users file set up to assign the appropriate attributes to the huntgroup. -Doug
participants (3)
-
Doug Warner -
Peter Lambrechtsen -
prashant.siemens@gmail.com