Huntgroups, Users and Proxy
Walt Reynolds
waltr at umich.edu
Tue Dec 12 22:23:43 CET 2006
I am going in circles here and not getting anywhere. I will try to
describe what I want to do starting with huntgroups.
huntgroup:
All NAS-IP-Address == 10.213.226.1
All NAS-IP-Address == 10.213.226.2
All NAS-IP-Address == 10.213.226.3
All NAS-IP-Address == 192.168.224.5
All NAS-IP-Address == 192.168.224.36
All NAS-IP-Address == 172.213.226.46
Bldg1 NAS-IP-Address == 10.213.226.1
Bldg1 NAS-IP-Address == 10.213.226.2
Bldg1 NAS-IP-Address == 10.213.226.3
Bldg1 NAS-IP-Address == 192.168.224.5
Bldg1 NAS-IP-Address == 192.168.224.36
Bldg2 NAS-IP-Address == 172.213.226.46
UnitA NAS-IP-Address == 10.213.226.1
UnitA NAS-IP-Address == 10.213.226.2
UnitA NAS-IP-Address == 10.213.226.3
UnitA NAS-IP-Address == 172.213.226.46
UnitB NAS-IP-Address == 192.168.224.5
UnitB NAS-IP-Address == 192.168.224.36
UnitB NAS-IP-Address == 172.213.226.46
UnitAB NAS-IP-Address == 172.213.226.46
TypeVPN NAS-IP-Address == 192.168.224.5
TypeGW NAS-IP-Address == 192.168.224.36
===========================
Now, what I need is multiple proxy statements for each. For example I want
For each group below, in addition to what is listed, I want default to
fall through to (proxy to):
realm DEFAULT {
type = radius
authhost = highered.edu
accthost = highered.edu
nostrip
===================
"All" Authenticate with a Null Realm
or
Authenticate user at generic.edu
"Bldg1" Authenticate with a Null Realm
or
Authenticate user at generic.edu
"UnitA" Authenticate with user at unita.generic.edu
or
Authenticate with Null Realm
or
Authenticate user at generic.edu
But NOT
user at unitb.generic.edu
"UnitB" Authenticate with user at unitb.generic.edu
or
Authenticate with Null Realm
or
Authenticate user at generic.edu
but NOT
user at unita.generic.edu
"UnitAB" Authenticate with user at unita.generic.edu
or
Authenticate with user at unitb.generic.edu
or
user at generic.edu
or
Null realm
"TypeVPN" Authenticate ONLY with Null Realm
So I can add these as DEFAULT users in the users file, based on
huntgroup, but from there I am at a loss as to what entry to put and the
config in proxy.conf to match.
I think I could do the following
users:
DEFAULT Huntgroup-Name == TypeVPN, Proxy-To-Realm := realm1.edu
DEFAULT Huntgroup-Name == TypeGW, Proxy-To-Realm := realm2.edu
DEFAULT Huntgroup-Name == UnitAB, Proxy-To-Realm := realm3.edu
DEFAULT Huntgroup-Name == UnitA, Proxy-To-Realm := realm4.edu
DEFAULT Huntgroup-Name == UnitB, Proxy-To-Realm := realm5.edu
DEFAULT Huntgroup-Name == BLDG1, Proxy-To-Realm := realm6.edu
DEFAULT Huntgroup-Name == Bldg2, Proxy-To-Realm := realm7.edu
DEFAULT Huntgroup-Name == All, Proxy-To-Realm := realm8.edu
But how can I get them to only allow certain @realms? Is there a way to
define in here something like this?
DEFAULT Huntgroup-Name == UnitA, *@unita.generic.edu Proxy-To-Realm :=
realm4.edu
but then in proxy.conf how can I keep it so it does not allow UnitA
users to authenticate on UnitB NAS's (unless it is a UnitAB)but still
allows user at generic.edu, Null and DEFAULT proxy as mentioned above?
I have looked at the mailing list and found many setups, but none seem
to take into account the actual realm a user tries to log into.
Thanks.
--
Walter Reynolds
Principle Systems Security Development Engineer
Information Technology Central Services
University of Michigan
(734)615-9438
More information about the Freeradius-Users
mailing list