Restricting access to a NAS
I have a Cisco 3660 router configured for dialup AAA through FR (1.0.5) to access our LAN. I also have the login to the router itself, for admin, authenticating through FR (MySQL backend). The same DB is used for all auth, so currently anyone with a dialup account could also telnet into the router. This leaves only my 'enable' password to prevent problems. I want to configure FR to eliminate this ability for all but a select group of users (admins). There are other devices I would like to add to the list later. I've been looking at huntgroups as the solution, but was unsure how (or if) this could be handled via sql rather than the users file. Is anyone doing this and could provide a sample config layout? Thx, Laker __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Laker Netman wrote:
I have a Cisco 3660 router configured for dialup AAA through FR (1.0.5) to access our LAN. I also have the login to the router itself, for admin, authenticating through FR (MySQL backend). The same DB is used for all auth, so currently anyone with a dialup account could also telnet into the router. This leaves only my 'enable' password to prevent problems. I want to configure FR to eliminate this ability for all but a select group of users (admins). There are other devices I would like to add to the list later. I've been looking at huntgroups as the solution, but was unsure how (or if) this could be handled via sql rather than the users file.
Is anyone doing this and could provide a sample config layout?
I am not currently doing this but plan to tackle it by using something like a realm of admin when I do get to it. So a user needing admin privs would have to log in like user@admin.user to get access. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841
I'm able to make it work by using huntgroups admin NAS-IP-address =~ "^10\.1\.2\." # thanks a lot to Bjørn User-Name = admin1, User-Name = admin2, ... ... and users admin1 Auth-Type := Local, User-Password == "secret", Huntgroup-Name == "admin" ... I would asume that add a huntgroup in the check line would be the same with database backend. Can you post your solution once you make it work? Thanks, Min -----Original Message----- From: freeradius-users-bounces+mqiu=globalinternetworking.com@lists.freeradius.org on behalf of Lewis Bergman Sent: Tue 1/24/2006 12:01 PM To: FreeRadius users mailing list Subject: Re: Restricting access to a NAS Laker Netman wrote:
I have a Cisco 3660 router configured for dialup AAA through FR (1.0.5) to access our LAN. I also have the login to the router itself, for admin, authenticating through FR (MySQL backend). The same DB is used for all auth, so currently anyone with a dialup account could also telnet into the router. This leaves only my 'enable' password to prevent problems. I want to configure FR to eliminate this ability for all but a select group of users (admins). There are other devices I would like to add to the list later. I've been looking at huntgroups as the solution, but was unsure how (or if) this could be handled via sql rather than the users file.
Is anyone doing this and could provide a sample config layout?
I am not currently doing this but plan to tackle it by using something like a realm of admin when I do get to it. So a user needing admin privs would have to log in like user@admin.user to get access. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Tuesday 24 January 2006 11:24, Laker Netman wrote:
I have a Cisco 3660 router configured for dialup AAA through FR (1.0.5) to access our LAN. I also have the login to the router itself, for admin, authenticating through FR (MySQL backend). The same DB is used for all auth, so currently anyone with a dialup account could also telnet into the router. This leaves only my 'enable' password to prevent problems. I want to configure FR to eliminate this ability for all but a select group of users (admins). There are other devices I would like to add to the list later. I've been looking at huntgroups as the solution, but was unsure how (or if) this could be handled via sql rather than the users file.
Is anyone doing this and could provide a sample config layout?
Thx, Laker
Setup auth detail logs, or run in debug mode, to see what special attributes are sent when an admin logs into the router. With that info, setup a huntgroup that matches on all or a subset of those attributes and add that as a check item for your admin users. We specify the password for the admin user because we didn't want the admin passwords to be the same as the dialup passwords. An example of what we use is below. Kevin Bonner == huntgroups == admin Service-Type == Login-User, NAS-Port-Type == Virtual, Calling-Station-Id == "AAA.BBB.CCC.DDD" == end huntgroups == == users == DEFAULT Huntgroup-Name == "admin" Cisco-AVPair := "shell:priv-lvl=1", Fall-Through = 1 keb Huntgroup-Name == "admin", Crypt-Password == "..." ... more admin entries ... # reject all admin auth DEFAULT Huntgroup-Name == "admin", Auth-Type := Reject == end users ==
participants (4)
-
Kevin Bonner -
Laker Netman -
Lewis Bergman -
Min Qiu