Suppose I have two Cisco routers both configured to authenticate to the same radius server. How do I allow a particular user access to one router but not the other? Is there a place in the clients.conf or users file to configure this? Thanks, Mark
Mark Tunnell wrote:
Suppose I have two Cisco routers both configured to authenticate to the same radius server. How do I allow a particular user access to one router but not the other? Is there a place in the clients.conf or users file to configure this?
realms might be one way in adition to the obvious different password for the same username. I am assuming that the usernames ae the same since you asked the question. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841
Thanks. I'm using the local Linux system passwords for authentication. I guess I'm wondering if there is any way to identify where the authentication request is coming from and approve or reject it based on that per user. The comments in the user file mention "comm server name" but none of the examples in that file or the man page mention how this would be used. Mark Lewis Bergman wrote:
Mark Tunnell wrote:
Suppose I have two Cisco routers both configured to authenticate to the same radius server. How do I allow a particular user access to one router but not the other? Is there a place in the clients.conf or users file to configure this?
realms might be one way in adition to the obvious different password for the same username. I am assuming that the usernames ae the same since you asked the question.
Mark Tunnell <mtunnell@livebridge.com> wrote:
I'm using the local Linux system passwords for authentication. I guess I'm wondering if there is any way to identify where the authentication request is coming from
Client-IP-Address.
and approve or reject it based on that per user.
bob Client-IP-Address != 1.2.3.4, Auth-Type := Reject Reply-Message = "go away, bob" Alan DeKok.
Excellent! Thanks. Alan DeKok wrote:
Client-IP-Address.
and approve or reject it based on that per user.
bob Client-IP-Address != 1.2.3.4, Auth-Type := Reject Reply-Message = "go away, bob"
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mark Tunnell wrote:
Suppose I have two Cisco routers both configured to authenticate to the same radius server. How do I allow a particular user access to one router but not the other? Is there a place in the clients.conf or users file to configure this?
Oh yea, Alan gave me a trick with the hints file that adds a realm to a client if one is not present that could also help. DEFAULT User-Name !~ ".*@", NAS-IP-Address == "ip of client" User-Name := "%{User-name}@realmtoadd.com" -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841
Nice! That gets me almost all the way there. I'm able to authenticate using Auth-Type := Local. Now I just need to figure out how to authenticate that type of user name (user@realm) using Auth-Type := System. Any ideas how to go about that? Thanks, Mark Lewis Bergman wrote:
Mark Tunnell wrote:
Suppose I have two Cisco routers both configured to authenticate to the same radius server. How do I allow a particular user access to one router but not the other? Is there a place in the clients.conf or users file to configure this?
Oh yea, Alan gave me a trick with the hints file that adds a realm to a client if one is not present that could also help. DEFAULT User-Name !~ ".*@", NAS-IP-Address == "ip of client" User-Name := "%{User-name}@realmtoadd.com"
Mark Tunnell wrote:
Nice! That gets me almost all the way there. I'm able to authenticate using Auth-Type := Local. Now I just need to figure out how to authenticate that type of user name (user@realm) using Auth-Type := System. Any ideas how to go about that?
Mark Tunnell wrote:
Suppose I have two Cisco routers both configured to authenticate to the same radius server. How do I allow a particular user access to one router but not the other? Is there a place in the clients.conf or users file to configure this?
Oh yea, Alan gave me a trick with the hints file that adds a realm to a client if one is not present that could also help. DEFAULT User-Name !~ ".*@", NAS-IP-Address == "ip of client" User-Name := "%{User-name}@realmtoadd.com" Well, take a look at the docs and there is an explination of the variables you can play with. I don't know what adding an @in the username would do to a linux password file but my guess would be nothing spectacular. Running radiusd -X will give you what the cisco is passing and you can use that to decide what to check attribute to manipulate.
-- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841
participants (3)
-
Alan DeKok -
Lewis Bergman -
Mark Tunnell