restricting access for users

Martial VdB mdbnoc at hotmail.com
Fri Jun 17 08:12:32 CEST 2005


Well, as promised here is the way I'm implementing it. I only did a small 
scale test. The big test and implementation will be for the next comming 
weeks. So far everything worked the way it should.
hope I can help someone with this explenation.

First install debian via net
Than install freeradius
#Apt-get install freeradius


How it works:

Routers and switches are defined in the file: clients.conf
Users are defined in the file: users
Huntgroups are used to restrict access: huntgroups
Debugging freeradius –s -X

The client connects to the radius server, radius first goes to clients.conf 
to see if the client is in his list.

Clients.conf:

client 127.0.0.1 {
        secret          = testing123
        shortname       = localhost
        nastype     = other     # localhost isn't usually a NAS...
}

client 10.5.x.x {
        secret          = CISCOTEST
        shortname       = namedevice
        nastype         = cisco
}
client 10.5.x.x {
        secret          = CISCOTEST
        shortname       = namedevice
        nastype         = cisco

If it is, freeradius takes the users file and checks the passw and name of 
the client. If  Auth-Type := System he will check the system files: 
/etc/shadow, /etc/group and /etc/passw. If the password is set in this user 
file, he will validate against this password.

Users:

DEFAULT   	Group == NOC, Auth-Type := System
         		Login-Service = 0,
          		Vendor-Specific = 9,
          		Service-Type = NAS-Prompt-User,
          		Cisco-AVpair = "shell:priv-lvl=15", #to give immediate enable 
access, which #makes it easier for us to manage enable passwords
#
bob    		Huntgroup-Name == diegem, Auth-Type := System
          		Reply-Message = "Hello Bob",
          		Cisco-AVpair = "shell:priv-lvl=15",
          		Service-Type = NAS-Prompt-User,
          		Login-Service = 0,
          		Vendor-Specific = 9,
#
bobke     	Huntgroup-Name == brussels, Auth-Type := System
          		Reply-Message = "Hello Bob",
          		Cisco-AVpair = "shell:priv-lvl=15",
          		Service-Type = NAS-Prompt-User,
          		Login-Service = 0,
          		Vendor-Specific = 9,
#
DEFAULT   Auth-Type := Reject

Some explanation here:
If user is in group NOC (on the system), match here and authorize the user 
using system. So all users belonging to group NOC will have access to all 
devices if they provide the correct password. No need for their user name to 
be written in the users file. But if the users do not belong to the system 
group NOC they will have to be validated in huntgroups.
If user bob is coming from huntgroup diegem, match here and authorize user. 
So if  the user does not belong to group NOC but is a member of an active 
huntgroup he will also be validated against the system. Only if the client 
is also a member of that same huntgroup.
If user bobke is coming from huntgroup brussells, match.
If no matches on above, reject the user. DEFAULT   Auth-Type := Reject

This specifies to use system when it matches each user entry or the group 
entry.  If there is no match, then it tells you to reject the user.

Huntgroups:

diegem             NAS-IP-Address == 10.5.x.x
diegem             NAS-IP-Address == 10.5.x.x
#
brussels           NAS-IP-Address == 10.2.x.x
brussels           NAS-IP-Address == 10.5.x.x


Logging: has to be enabled in radiusd.conf (see below)

/var/log/freeradius/radacct/10.5.240.247/auth-detail-20050614


radiusd.conf
general config file

#  If you want to have a log of authentication requests,
        #  un-comment the following line, and the 'detail auth_log'
        #  section, above.
#       auth_log
***************************************************
authorize {
        #
        #  The preprocess module takes care of sanitizing some bizarre
        #  attributes in the request, and turning them into attributes
        #  which are more standard.
        #
        #  It takes care of processing the 'raddb/hints' and the
        #  'raddb/huntgroups' files.
        #
        #  It also adds the %{Client-IP-Address} attribute to the request.
        preprocess

        #
        #  If you want to have a log of authentication requests,
        #  un-comment the following line, and the 'detail auth_log'
        #  section, above.
        auth_log

#       attr_filter

        #
        #  The chap module will set 'Auth-Type := CHAP' if we are
        #  handling a CHAP request and Auth-Type has not already been set
        chap

        #
        #  If the users are logging in with an MS-CHAP-Challenge
        #  attribute for authentication, the mschap module will find
        #  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
        #  to the request, which will cause the server to then use
        #  the mschap module for authentication.
        mschap

        #
        #  If you have a Cisco SIP server authenticating against
        #  FreeRADIUS, uncomment the following line, and the 'digest'
        #  line in the 'authenticate' section.
#       digest

        #
        #  Look for IPASS style 'realm/', and if not found, look for
        #  '@realm', and decide whether or not to proxy, based on
        #  that.
#       IPASS

        #
        #  If you are using multiple kinds of realms, you probably
        #  want to set "ignore_null = yes" for all of them.
        #  Otherwise, when the first style of realm doesn't match,
        #  the other styles won't be checked.
        #
        suffix
#       ntdomain

        #
        #  This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
        #  authentication.
        #
        #  It also sets the EAP-Type attribute in the request
        #  attribute list to the EAP type from the packet.
        eap

        #
        #  Read the 'users' file
        files

        #
        #  Look in an SQL database.  The schema of the database
        #  is meant to mirror the "users" file.
        #
        #  See "Authorization Queries" in sql.conf
#      sql


        #  If you are using /etc/smbpasswd, and are also doing
        #  mschap authentication, the un-comment this line, and
        #  configure the 'etc_smbpasswd' module, above.
#       etc_smbpasswd

        #
        #  The ldap module will set Auth-Type to LDAP if it has not
        #  already been set
#       ldap

        #
        #  Enforce daily limits on time spent logged in.
#       daily

        #
        # Use the checkval module
#       checkval
}
#  Authentication.
#
#
#  This section lists which modules are available for authentication.
#  Note that it does NOT mean 'try each module in order'.  It means
#  that a module from the 'authorize' section adds a configuration
#  attribute 'Auth-Type := FOO'.  That authentication type is then
#  used to pick the apropriate module from the list below.
#

#  In general, you SHOULD NOT set the Auth-Type attribute.  The server
#  will figure it out on its own, and will do the right thing.  The
#  most common side effect of erroneously setting the Auth-Type
#  attribute is that one authentication method will work, but the
#  others will not.
#
#  The common reasons to set the Auth-Type attribute by hand
#  is to either forcibly reject the user, or forcibly accept him.
#
authenticate {
        #
        #  PAP authentication, when a back-end database listed
        #  in the 'authorize' section supplies a password.  The
        #  password can be clear-text, or encrypted.
        Auth-Type PAP {
                pap
        }

        #
        #  Most people want CHAP authentication
        #  A back-end database listed in the 'authorize' section
        #  MUST supply a CLEAR TEXT password.  Encrypted passwords
        #  won't work.
        Auth-Type CHAP {
                chap
        }

        #
        #  MSCHAP authentication.
        Auth-Type MS-CHAP {
                mschap
        }

        #
        #  If you have a Cisco SIP server authenticating against
        #  FreeRADIUS, uncomment the following line, and the 'digest'
        #  line in the 'authorize' section.
#       digest

        #
        #  Pluggable Authentication Modules.
#       pam

        #
        #  See 'man getpwent' for information on how the 'unix'
        #  module checks the users password.  Note that packets
        #  containing CHAP-Password attributes CANNOT be authenticated
        #  against /etc/passwd!  See the FAQ for details.
        #
        unix

        # Uncomment it if you want to use ldap for authentication
        #
        # Note that this means "check plain-text password against
        # the ldap database", which means that EAP won't work,
        # as it does not supply a plain-text password.
#       Auth-Type LDAP {
#               ldap
#       }

        #
        #  Allow EAP authentication.
        eap
}

_________________________________________________________________
Free blogging with MSN Spaces  http://spaces.msn.com/?mkt=nl-be




More information about the Freeradius-Users mailing list