Using FreeRadius to coordinate access to cisco routers based on time
Hi Radius People, I'm a new user on FreeRadius and recently considering using FreeRadius version 2 in our environment. Basically we are an education/training environment where we have some students accessing the routers and switches for practise, terminal server are used to consolidate the console access, and these terminal servers authenticate the users through a Radius server (as shown in the following figure). Additionally, the students are categorized into few groups. We want to implement policy on the radius server so that only a certain group can access the pod in a given duration of time (the user should be dropped from the terminal when the subscribed time is reached and cannot access thereafter .) +++++++++++++++ +++++++++++++++ ++++++++++++++ User +++++++++++++++++++++ Cisco 2600 +++++++++++++++++++ Network ++ + + Terminal Serv + + Devices ++++++++++++++++ +++++++++++++++ +++++++++++++ (NAS) + + +++++++++++++++ + FreeRadius + +++++++++++++++ Right now I'm able to do the "hello-world" setup with the following users and clients.conf. On the terminal server side, aaa new-model is enabled on the cisco terminal server to communicate with this radius server. users=============cisco Auth-Type := System Service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=15" clients.conf==============client 192.168.1.1 { secret = SECRET_KEY shortname = termserver nastype = cisco} A typical transaction would be : Access-Request======= NAS-IP-Address = 192.168.1.1 NAS-Port = 35 NAS-Port-Type = Async User-Name = "cisco" Calling-Station-Id = "1.1.1.1" User-Password = "cisco" Access-Accept======= Service-Type = NAS-Prompt-User Cisco-AVPair = "shell:priv-lvl=15" However, this doesn't really provide any timing or grouping policy. Could you please provide some hints on how typically the timing limits are enforced with the freeradius and cisco terminal server? Thanks a lot in advance. ThanksFrank
Frank Cui wrote:
Basically we are an education/training environment where we have some students accessing the routers and switches for practise, terminal server are used to consolidate the console access, and these terminal servers authenticate the users through a Radius server (as shown in the following figure). Additionally, the students are categorized into few groups. We want to implement policy on the radius server so that only a certain group can access the pod in a given duration of time (the user should be dropped from the terminal when the subscribed time is reached and cannot access thereafter .)
That should be simple.
However, this doesn't really provide any timing or grouping policy. Could you please provide some hints on how typically the timing limits are enforced with the freeradius and cisco terminal server?
Time limits are set with the Session-Timeout attribute. Past that, you should write down in plain english what you have, and what you want to do. "When I see a packet containing X, I want to reply with Y". Then implement it in "unlang". Alan DeKok.
However, this doesn't really provide any timing or grouping policy.> > Could you please provide some hints on how typically the timing limits are enforced with the freeradius and cisco terminal server?
Time limits are set with the Session-Timeout attribute. Thanks for the reply. I have tested to change the user config file to be : cisco Auth-Type := System Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:priv-lvl=15", Session-Timeout = 20 But it doesn't seem to resolve the problem, not sure if the Cisco terminal server requires any special configs other than the following : aaa new-modelaaa authentication login default group radius local noneaaa authorization exec default group radius if-authenticated aaa accounting exec default start-stop group radiusaaa accounting network default start-stop group radiusaaa accounting connection default start-stop group radius ThanksFrank
Frank Cui wrote:
I have tested to change the user config file to be :
cisco Auth-Type := System Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:priv-lvl=15", Session-Timeout = 20
Which is 20 seconds. Probably not what you want.
But it doesn't seem to resolve the problem, not sure if the Cisco terminal server requires any special configs other than the following :
aaa new-model aaa authentication login default group radius local none aaa authorization exec default group radius if-authenticated aaa accounting exec default start-stop group radius aaa accounting network default start-stop group radius aaa accounting connection default start-stop group radius
The NAS might not pay attention to Session-Timeout. NASes are like that... Alan DeKok.
Frank Cui wrote:
I have tested to change the user config file to be :
cisco Auth-Type := System Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:priv-lvl=15", Session-Timeout = 20
Which is 20 seconds. Probably not what you want.
Yeh, I actually explicitly set it to be a short time so that I can test this.
But it doesn't seem to resolve the problem, not sure if the Cisco terminal server requires any special configs other than the following :
aaa new-model aaa authentication login default group radius local none aaa authorization exec default group radius if-authenticated aaa accounting exec default start-stop group radius aaa accounting network default start-stop group radius aaa accounting connection default start-stop group radius
The NAS might not pay attention to Session-Timeout. NASes are like that...
Should all the radius clients support all these well known Attribute VPs ? ThanksFrank
Frank Cui wrote:
Should all the radius clients support all these well known Attribute VPs ?
Ideally? Yes. Realistically? No. The only way to know is a NAS supports an attribute is to try it and see if it works. Alan DeKok.
participants (2)
-
Alan DeKok -
Frank Cui