How to restrict authorization to members of FreeIPA group
Hi, I'm very new to FreeRADIUS and I'm quite confused about the configuration. We have a Cisco for VPN and we have FreeIPA for the user administration. What I want is to only allow users in a FreeIPA group to connect to the VPN. Notice that, as far as FreeRADIUS is concerned FreeIPA is just an LDAP server. So far I am able to connect the radius server to our FreeIPA server. Using the radtest command I can see that authentication works. (I'm not sure about authorization, though.) The Cisco is configured and FreeIPA users can connect to the VPN. However, I haven't figured out how to restrict VPN to only users from a specific group. Which configuration file do I need to adapt? Where should I be looking? -- Kees
On Jul 9, 2019, at 3:01 PM, Kees Bakker via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
We have a Cisco for VPN and we have FreeIPA for the user administration. What I want is to only allow users in a FreeIPA group to connect to the VPN. Notice that, as far as FreeRADIUS is concerned FreeIPA is just an LDAP server.
That's good.
So far I am able to connect the radius server to our FreeIPA server. Using the radtest command I can see that authentication works. (I'm not sure about authorization, though.)
RADIUS uses one packet for authentication and authorization.
The Cisco is configured and FreeIPA users can connect to the VPN. However, I haven't figured out how to restrict VPN to only users from a specific group.
Which configuration file do I need to adapt? Where should I be looking?
You need to check LDAP groups. See sites-available/default In the "post-auth" section, add: if (LDAP-Group == "groupname") { update reply { Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-ID := "vlan name" } } Alan DeKok.
On 09-07-19 15:05, Alan DeKok wrote:
On Jul 9, 2019, at 3:01 PM, Kees Bakker via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
We have a Cisco for VPN and we have FreeIPA for the user administration. What I want is to only allow users in a FreeIPA group to connect to the VPN. Notice that, as far as FreeRADIUS is concerned FreeIPA is just an LDAP server. That's good.
So far I am able to connect the radius server to our FreeIPA server. Using the radtest command I can see that authentication works. (I'm not sure about authorization, though.) RADIUS uses one packet for authentication and authorization.
The Cisco is configured and FreeIPA users can connect to the VPN. However, I haven't figured out how to restrict VPN to only users from a specific group.
Which configuration file do I need to adapt? Where should I be looking? You need to check LDAP groups. See sites-available/default
In the "post-auth" section, add:
if (LDAP-Group == "groupname") { update reply { Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-ID := "vlan name" } }
Thanks for this example. Meanwhile we have found another suggestion which seems to be working. But it remains magic. In sites-available/default we have this authorize { ... ldap if ((ok || updated) && User-Password) { update { control:Auth-Type := ldap } } group_authorization ... In mods-config/preprocess/huntgroups we defined a new huntgroup ourgw NAS-IP-Address == 172.16.16.1 In a new file policy.d/group_authorization we have #--------------------------------------------------------------------------------------- group_authorization { if (&Huntgroup-Name == "ourgw") { if (&LDAP-Group[*] == "cn=vpn_users,cn=groups,cn=accounts,$SUFFIX") { ok } else { update reply { &Reply-Message := "Not authorized for VPN" } reject } } else { update reply { &Reply-Message := "Not authorized for unknown huntgroup" } reject } } #--------------------------------------------------------------------------------------- This is working for us. But I must say that we don't know if the rejects in the else parts are correct. We do have a problem that the Cisco does not look at its local users anymore (if the radius server is present). -- Kees
On Jul 10, 2019, at 9:35 AM, Kees Bakker via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Meanwhile we have found another suggestion which seems to be working. But it remains magic.
It does what you want. :)
In sites-available/default we have this
authorize { ... ldap if ((ok || updated) && User-Password) { update { control:Auth-Type := ldap } } group_authorization
Basically "If the user was found in LDAP, AND they were trying to authenticate with a clear-text password, THEN use LDAP bind for authentication". The only magic is the technical bits tying it all together.
In mods-config/preprocess/huntgroups we defined a new huntgroup
ourgw NAS-IP-Address == 172.16.16.1
You shouldn't need to do that. You can just check the NAS-IP-Address directly.
In a new file policy.d/group_authorization we have
#--------------------------------------------------------------------------------------- group_authorization { if (&Huntgroup-Name == "ourgw") { if (&LDAP-Group[*] == "cn=vpn_users,cn=groups,cn=accounts,$SUFFIX") { ok } else { update reply { &Reply-Message := "Not authorized for VPN" } reject } } else { update reply { &Reply-Message := "Not authorized for unknown huntgroup" } reject } } #---------------------------------------------------------------------------------------
This is working for us. But I must say that we don't know if the rejects in the else parts are correct.
It's a little complex. You can simplify it by noticing that "reject" means "reject NOW and stop processing the packet". Which means tat you can do the following. Though I'm not clear why you need to check for a known client. The "clients.conf" file already checks for that. group_authorization { # # don't check huntgroup, just check NAS IP # if (NAS-IP-Address != 172.16.16.1) { reject } # # If the user isn't in this LDAP group, reject # if (LDAP-Group != "cn=vpn_users,cn=groups,cn=accounts,$SUFFIX") { reject } ok } Much simpler.
We do have a problem that the Cisco does not look at its local users anymore (if the radius server is present).
That's an issue for the Cisco documentation. But typically, the NAS does local *or* remote users. The NAS may have one "fall-back" user which can log in when the RADIUS server isn't available. But that's it. Alan DeKok.
On 10-07-19 21:17, Alan DeKok wrote:
On Jul 10, 2019, at 9:35 AM, Kees Bakker via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Meanwhile we have found another suggestion which seems to be working. But it remains magic. It does what you want. :)
That's not how I want to use tools. :-)
In sites-available/default we have this
authorize { ... ldap if ((ok || updated) && User-Password) { update { control:Auth-Type := ldap } } group_authorization Basically "If the user was found in LDAP, AND they were trying to authenticate with a clear-text password, THEN use LDAP bind for authentication".
The only magic is the technical bits tying it all together.
In mods-config/preprocess/huntgroups we defined a new huntgroup
ourgw NAS-IP-Address == 172.16.16.1 You shouldn't need to do that. You can just check the NAS-IP-Address directly.
In a new file policy.d/group_authorization we have
#--------------------------------------------------------------------------------------- group_authorization { if (&Huntgroup-Name == "ourgw") { if (&LDAP-Group[*] == "cn=vpn_users,cn=groups,cn=accounts,$SUFFIX") { ok } else { update reply { &Reply-Message := "Not authorized for VPN" } reject } } else { update reply { &Reply-Message := "Not authorized for unknown huntgroup" } reject } } #---------------------------------------------------------------------------------------
This is working for us. But I must say that we don't know if the rejects in the else parts are correct. It's a little complex. You can simplify it by noticing that "reject" means "reject NOW and stop processing the packet".
Which means tat you can do the following. Though I'm not clear why you need to check for a known client. The "clients.conf" file already checks for that.
group_authorization { # # don't check huntgroup, just check NAS IP # if (NAS-IP-Address != 172.16.16.1) { reject }
# # If the user isn't in this LDAP group, reject # if (LDAP-Group != "cn=vpn_users,cn=groups,cn=accounts,$SUFFIX") { reject }
ok }
Much simpler.
Indeed. That makes sense.
We do have a problem that the Cisco does not look at its local users anymore (if the radius server is present). That's an issue for the Cisco documentation.
But typically, the NAS does local *or* remote users. The NAS may have one "fall-back" user which can log in when the RADIUS server isn't available. But that's it.
Alan DeKok.
Thanks -- Kees Bakker
participants (2)
-
Alan DeKok -
Kees Bakker