differentiating radius attribute

Thibault Le Meur Thibault.LeMeur at supelec.fr
Fri Dec 1 18:18:57 CET 2006 

 

-----Message d'origine-----
De :
freeradius-users-bounces+thibault.lemeur=supelec.fr at lists.freeradius.org
[mailto:freeradius-users-bounces+thibault.lemeur=supelec.fr at lists.freeradius
.org] De la part de jerrrry at voila.fr
Envoyé : vendredi 1 décembre 2006 17:16
À : freeradius-users at lists.freeradius.org
Objet : differentiating radius attribute




Hi everybody,


I'm using freeradius to authenticate and authorize users to cisco
switches/routers/FW.
My issue is that i want to do aaa for 3 things on the same device: device
administrators login (telnet), for 802.1x EAP/MD5 (, and to manage firewall
FWSM ACLs (radius attribute in the response: filter-id=acl_name). 

My question is how to differentiate this 3 needs by a radius attribute in
the request, to be able to send in the response only the good radius
authorization attribute  depending on aaa type asking. 

 

Could you run the radius server in debug mode (radius -X), and check what
Attributes are present in the Request. May be something like Service-Type,
Framed-Protocol, and NAS-Port could be used.

For instance this is a request from a PPP server:

rad_recv: Access-Request packet from host A.B.C.D:32776, id=171, length=136
        Service-Type = Framed-User
        Framed-Protocol = PPP
        User-Name = "MyLogin"
        MS-CHAP-Challenge = 0xXXXXXX
        MS-CHAP2-Response = 0xXXXXXXXX
        NAS-IP-Address = X.Y.Z.T
        NAS-Port = 0


And this is a request from a WiFi access (not on the same NAS though):

rad_recv: Access-Request packet from host A.B.C.D:1030, id=1, length=213
        Message-Authenticator = 0xXXXXXXXXXXXXXXXX
        Service-Type = Framed-User
        User-Name = "anonymous"
        Framed-MTU = 1492
        State = 0xXXXXXXXXX
        Called-Station-Id = "MACADDR:SSID"
        Calling-Station-Id = "MACADDR"
        NAS-Identifier = "AP_Name"
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "802.11g"
        EAP-Message = 0xXXXXXXXX
        NAS-IP-Address = X.Y.Z.T
        NAS-Port = 1
        NAS-Port-Id = "STA port # 1"


Check also in your NAS setup if you can add specific attributes to the
Request depending on the service used.

 

HTH,

Thibault

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061201/88854251/attachment.html>

More information about the Freeradius-Users mailing list