Is there a way to set FreeRADIUS to authenticate against specific group of users for certain devices. For example, DEFAULT Auth-Type = System Fall-Through = Yes, cisco-avpair = "shell:priv-lvl=1", Service-Type = NAS-Prompt-User DEFAULT Group == router-rw cisco-avpair := "shell:priv-lvl=15" DEFAULT Group == fw-admin cisco-avpair := "shell:priv-lvl=15" Can I have the PIX to authenticate only against group fw-admin? Norman
Yes. Use NAS-IP-Address as check item. If you need a list of groups and/or users/callerIDs/etc. that are allowed then use a huntgroup. Ivan Kalik Kalik Informatika ISP Dana 26/4/2007, "Norman Zhang" <norman.zhang@gmail.com> piše:
Is there a way to set FreeRADIUS to authenticate against specific group of users for certain devices. For example,
DEFAULT Auth-Type = System Fall-Through = Yes, cisco-avpair = "shell:priv-lvl=1", Service-Type = NAS-Prompt-User
DEFAULT Group == router-rw cisco-avpair := "shell:priv-lvl=15"
DEFAULT Group == fw-admin cisco-avpair := "shell:priv-lvl=15"
Can I have the PIX to authenticate only against group fw-admin?
Norman
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
tnt@kalik.co.yu wrote:
Yes. Use NAS-IP-Address as check item. If you need a list of groups and/or users/callerIDs/etc. that are allowed then use a huntgroup.
I added the following lines to huntgroup. fw-pix NAS-IP-Address == 10.0.0.1 fw-pix NAS-IP-Address == 10.0.0.2 fw-pix-group NAS-IP-Address == 10.0.0.1 User-Name = fw-admin, Group = fw-group However, I'm getting the following error. Could someone please give me few pointers? Norman --- Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 5 ID 25 with timestamp 46362f79 Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 26 to 10.0.0.1:1812 Cisco-AVPair = "shell:priv-lvl=1" Waking up in 4 seconds... rad_recv: Access-Request packet from host 10.0.0.1:1812, id=27, length=109 User-Name = "fw-admin" NAS-IP-Address = 10.0.0.1 Calling-Station-Id = "10.0.0.3" User-Password = "\025\372\202`\370RE\005\327\231^\200\303\353" NAS-Port = 27 Cisco-AVPair = "ip:source-ip=10.0.0.3" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "fw-admin", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 7 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 7 modcall: group authorize returns ok for request 7 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_unix: [fw-admin]: invalid password modcall[authenticate]: module "unix" returns reject for request 7 modcall: group authenticate returns reject for request 7 auth: Failed to validate the user. Login incorrect: [fw-admin] (from client pix-network port 27 cli 10.0.0.3) WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! Delaying request 7 for 1 seconds Finished request 7 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 6 ID 26 with timestamp 46362f7e Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 27 to 10.0.0.1:1812 Cisco-AVPair = "shell:priv-lvl=1" Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 7 ID 27 with timestamp 46362f83 Nothing to do. Sleeping until we see a request.
Norman Zhang wrote:
tnt@kalik.co.yu wrote:
Yes. Use NAS-IP-Address as check item. If you need a list of groups and/or users/callerIDs/etc. that are allowed then use a huntgroup.
I added the following lines to huntgroup.
fw-pix NAS-IP-Address == 10.0.0.1 fw-pix NAS-IP-Address == 10.0.0.2
fw-pix-group NAS-IP-Address == 10.0.0.1 User-Name = fw-admin, Group = fw-group
I also added the following lines to users DEFAULT Group = fw-group cisco-avpair := "shell:priv-lvl=15" DEFAULT Huntgroup-Name == "fw-pix" Fall-Through = Yes but I still cannot work. Now there's nothing showing with debug mode. Can someone please give me a few pointers? Norman
participants (2)
-
Norman Zhang -
tnt@kalik.co.yu