RE: How to restrict users /PAM to specific NAS devices??
Well here is where I am. I am using PAM. All I need to pull all the pieces together is one simple example of what has to be done to do the following: user1 and user2 can access devices 10.1.1.1, 10.1.1.2, and user3 can access only 10.1.1.3. ************* Here is where I am. To turn on rlm_passwd, I think, you have to goto radiusd.conf and create a passwd entry say passwd My_group { filename = ${raddbdir}/My.group format "=Group-Name:*,User-Name" authtype = PAM (I hope I can auth via PAM since that is how my security is tailored) delimiter = ":" Next, you have to add it to the dictionary ... My_group? Then, I was thinking I could use the huntgroups and add a entry called admin and ops. The huntgroup would include multiple entries huntgroups admin NAS-IP-Address = 10.1.1.1 admin NAS-IP-Address = 10.1.1.2 User-Name = user1, User-Name = user2 ops NAS-IP-Address = 10.1.1.3 User-Name = user3 Next, in the My.group file I would put "admin:user1,user2" and on the next line "ops:user3" Finally, if I am at least close, I am not entirely clear how to setup the USERS file for user1 and user2 and user3. Can I use the following: user1 My_group == "admin" ??? (this would add admin to my custom group for user1??) Then, how do I map user1 with My_group "admin" to the admin huntgroup? Or do I just insert a DEFAULT entry at the bottom and include huntgroup-name == admin ??? Scott -----Original Message----- From: freeradius-users-bounces+scott.1.ellis=lmco.com@lists.freeradius.org [mailto:freeradius-users-bounces+scott.1.ellis=lmco.com@lists.freeradius .org] On Behalf Of Alan DeKok Sent: Tuesday, January 02, 2007 4:12 PM To: FreeRadius users mailing list Subject: Re: How to restrict users /PAM to specific NAS devices?? Ellis, Scott 1 (N-Comptel Inc.) wrote:
I have looked it over, but I am still not clear.
What *exactly* about the documentation is not clear? You can use rlm_passwd to make a group of anything you want.
I was thinking that I could use huntgroups to map devices to specific groups, but then I am not clear on how to restrict users ('users' file) to those groups.
The FAQ has an example of limiting users to groups. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ellis, Scott 1 (N-Comptel Inc.) wrote:
Well here is where I am.
I am using PAM.
Yes, you've said that lots. And it has nothing to do with user names, grouping, or RADIUS client devices. It's completely irrelevant to the problem at habd.
All I need to pull all the pieces together is one simple example of what has to be done to do the following: user1 and user2 can access devices 10.1.1.1, 10.1.1.2, and user3 can access only 10.1.1.3. *************
Here is where I am. To turn on rlm_passwd, I think, you have to goto radiusd.conf and create a passwd entry say passwd My_group { filename = ${raddbdir}/My.group format "=Group-Name:*,User-Name"
No, the Group and Group-Name attributes are for Unix groups. The documentation for rlm_passwd says specifically that you need to create a different attribute.
authtype = PAM (I hope I can auth via PAM since that is how my security is tailored)
You don't need that line. Delete it.
Next, you have to add it to the dictionary ... My_group?
No.
Then, I was thinking I could use the huntgroups and add a entry called admin and ops. The huntgroup would include multiple entries
If you're going to use huntgroups, then you don't need to use rlm_passwd, but you do need extra entries in the "users" file... as documented in the "huntgroups" file itself.
huntgroups
admin NAS-IP-Address = 10.1.1.1 admin NAS-IP-Address = 10.1.1.2 User-Name = user1, User-Name = user2 ops NAS-IP-Address = 10.1.1.3 User-Name = user3
You should use the same huntgroup name for them all.
Finally, if I am at least close, I am not entirely clear how to setup the USERS file for user1 and user2 and user3.
You don't. As per the documentation in the "huntgroups" file, you can match a huntgroup by doing: DEFAULT Huntgroup-Name == "admin" If you read the FAQ, there is an example of rejecting a user based on certain criteria. With a little bit of putting the pieces together, the following should work: DEFAULT Huntgroup-Name != "admin", Auth-Type := Reject Which will reject everyone who doesn't match the criteria in the huntgroups file. If you want something more complicated, you will need a more complicated configuration. Part of the issue is that there is no one place which will give you the exact configuration you need to solve the problem. Instead, the documentation describes how to solve problems, and it's up to you to put the pieces together. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan DeKok -
Ellis, Scott 1 (N-Comptel Inc.)