Default Authentication
I have the following setup for users DEFAULT Auth-Type = System Fall-Through = Yes, cisco-avpair = "shell:priv-lvl=1", Service-Type = NAS-Prompt-User DEFAULT Group == router-ro cisco-avpair := "shell:priv-lvl=7" DEFAULT Group == router-rw cisco-avpair := "shell:priv-lvl=15" However, system users not in group router-ro or router-rw are still able to login with privilege level = 1. Is there a way to force only group router-ro and router-rw can login? Norman
-----Original Message----- From: freeradius-users-bounces+frank.ranner=defence.gov.au@lists.fre eradius.org [mailto:freeradius-users-bounces+frank.ranner=defence.gov.au@l ists.freeradius.org] On Behalf Of Norman Zhang Sent: Wednesday, 2 May 2007 13:08 To: freeradius-users@lists.freeradius.org Subject: Default Authentication
I have the following setup for users
DEFAULT Auth-Type = System Fall-Through = Yes, cisco-avpair = "shell:priv-lvl=1", Service-Type = NAS-Prompt-User
DEFAULT Group == router-ro cisco-avpair := "shell:priv-lvl=7"
DEFAULT Group == router-rw cisco-avpair := "shell:priv-lvl=15"
However, system users not in group router-ro or router-rw are still able to login with privilege level = 1. Is there a way to force only group router-ro and router-rw can login?
Add: DEFAULT Auth-Type := Reject Reply-Message := "Access denied" To the end of the users file. FR
Norman Zhang wrote:
I have the following setup for users
DEFAULT Auth-Type = System Fall-Through = Yes, cisco-avpair = "shell:priv-lvl=1", Service-Type = NAS-Prompt-User
DEFAULT Group == router-ro cisco-avpair := "shell:priv-lvl=7"
DEFAULT Group == router-rw cisco-avpair := "shell:priv-lvl=15"
However, system users not in group router-ro or router-rw are still able to login with privilege level = 1.
Because you configured the server to permit that. Please read "man users" to see how the "users" file works.
Is there a way to force only group router-ro and router-rw can login?
Switch the entries around: DEFAULT Group == router-ro Fall-Through = Yes, cisco-avpair := "shell:priv-lvl=7" DEFAULT Group == router-rw Fall-Through = Yes, cisco-avpair := "shell:priv-lvl=15" DEFAULT Auth-Type = System Service-Type = NAS-Prompt-User And do NOT just blindly try it and see if it works. Spend some time understanding it first. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan DeKok wrote:
Is there a way to force only group router-ro and router-rw can login?
Switch the entries around:
DEFAULT Group == router-ro Fall-Through = Yes, cisco-avpair := "shell:priv-lvl=7"
DEFAULT Group == router-rw Fall-Through = Yes, cisco-avpair := "shell:priv-lvl=15"
DEFAULT Auth-Type = System Service-Type = NAS-Prompt-User
This won't work, as Auth-Type = System will act as the clean-up default. All other Unix users will be able to login, except they have privilege = 1. I read through users(5) few times, not sure if there's a way that I can avoid this. Can you give more hints? Norman
Add a huntgroup: onlythem NAS-IP-Address == a.b.c.d, Service-Type == admin or prompt Group = router-ro, Group = router-rw Ivan Kalik Kalik Informatika ISP Dana 2/5/2007, "Norman Zhang" <norman.zhang@gmail.com> piše:
Alan DeKok wrote:
Is there a way to force only group router-ro and router-rw can login?
Switch the entries around:
DEFAULT Group == router-ro Fall-Through = Yes, cisco-avpair := "shell:priv-lvl=7"
DEFAULT Group == router-rw Fall-Through = Yes, cisco-avpair := "shell:priv-lvl=15"
DEFAULT Auth-Type = System Service-Type = NAS-Prompt-User
This won't work, as Auth-Type = System will act as the clean-up default. All other Unix users will be able to login, except they have privilege = 1. I read through users(5) few times, not sure if there's a way that I can avoid this. Can you give more hints?
Norman
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Norman Zhang wrote:
This won't work, as Auth-Type = System will act as the clean-up default. All other Unix users will be able to login, except they have privilege = 1. I read through users(5) few times, not sure if there's a way that I can avoid this. Can you give more hints?
If you want only groups A and B to log in, do: DEFAULT Group == A, Auth-Type = System ... DEFAULT Group == B, Auth-Type = System ... DEFAULT Auth-Type := Reject Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan DeKok wrote:
If you want only groups A and B to log in, do:
DEFAULT Group == A, Auth-Type = System ...
DEFAULT Group == B, Auth-Type = System ...
DEFAULT Auth-Type := Reject
Thanks. Here's what I done. DEFAULT Group == router-ro, Auth-Type = System Service-Type = NAS-Prompt-User, cisco-avpair := "shell:priv-lvl=7" DEFAULT Group == router-rw, Auth-Type = System Service-Type = NAS-Prompt-User, cisco-avpair := "shell:priv-lvl=15" but I can't get restriction for another group "fw-group" to work. *added to users* DEFAULT Group == fw-group, Auth-Type = System Huntgroup-Name == "fw-pix", Service-Type = NAS-Prompt-User, cisco-avpair := "shell:priv-lvl=15" *added to huntgroups* fw-pix NAS-IP-Address == 10.0.0.1 fw-pix NAS-IP-Address == 10.0.0.2 Group "router-ro" and "router-rw" still can login to the PIX. Can you give me few more pointers? Norman
Yes, they can. They are not restricted in any way. Group fw-group is restricted only to 10.0.0.1 and 10.0.0.2. If you want to stop other groups from logging in there make huntgroups like this: fw-pix NAS-IP-Address == 10.0.0.1 Group = fw-group fw-pix NAS-IP-Address == 10.0.0.2 Group = fw-group Router groups will then be able to login elsewhere but not on 1.0.0.1 and 10.0.0.2 Ivan Kalik Kalik Informatika ISP Dana 4/5/2007, "Norman Zhang" <norman.zhang@gmail.com> piše:
Alan DeKok wrote:
If you want only groups A and B to log in, do:
DEFAULT Group == A, Auth-Type = System ...
DEFAULT Group == B, Auth-Type = System ...
DEFAULT Auth-Type := Reject
Thanks. Here's what I done.
DEFAULT Group == router-ro, Auth-Type = System Service-Type = NAS-Prompt-User, cisco-avpair := "shell:priv-lvl=7"
DEFAULT Group == router-rw, Auth-Type = System Service-Type = NAS-Prompt-User, cisco-avpair := "shell:priv-lvl=15"
but I can't get restriction for another group "fw-group" to work.
*added to users* DEFAULT Group == fw-group, Auth-Type = System Huntgroup-Name == "fw-pix", Service-Type = NAS-Prompt-User, cisco-avpair := "shell:priv-lvl=15"
*added to huntgroups* fw-pix NAS-IP-Address == 10.0.0.1 fw-pix NAS-IP-Address == 10.0.0.2
Group "router-ro" and "router-rw" still can login to the PIX. Can you give me few more pointers?
Norman
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Alan DeKok -
Norman Zhang -
Ranner, Frank MR -
tnt@kalik.co.yu