Restricting access to a NAS

[Kevin Bonner]

On Tuesday 24 January 2006 11:24, Laker Netman wrote:
> I have a Cisco 3660 router configured for dialup AAA
> through FR (1.0.5) to access our LAN.  I also have the
> login to the router itself, for admin, authenticating
> through FR (MySQL backend).
> The same DB is used for all auth, so currently anyone
> with a dialup account could also telnet into the
> router.  This leaves only my 'enable' password to
> prevent problems.
> I want to configure FR to eliminate this ability for
> all but a select group of users (admins). There are
> other devices I would like to add to the list later.
> I've been looking at huntgroups as the solution, but
> was unsure how (or if) this could be handled via sql
> rather than the users file.
>
> Is anyone doing this and could provide a sample config
> layout?
>
> Thx,
>  Laker

Setup auth detail logs, or run in debug mode, to see what special attributes 
are sent when an admin logs into the router.  With that info, setup a 
huntgroup that matches on all or a subset of those attributes and add that as 
a check item for your admin users.  We specify the password for the admin 
user because we didn't want the admin passwords to be the same as the dialup 
passwords.

An example of what we use is below.

Kevin Bonner

== huntgroups ==
admin   Service-Type == Login-User, NAS-Port-Type == Virtual, 
Calling-Station-Id == "AAA.BBB.CCC.DDD"
== end huntgroups ==

== users ==
DEFAULT Huntgroup-Name == "admin"
        Cisco-AVPair := "shell:priv-lvl=1",
        Fall-Through = 1

keb  Huntgroup-Name == "admin", Crypt-Password == "..."

... more admin entries ...

# reject all admin auth
DEFAULT Huntgroup-Name == "admin", Auth-Type := Reject
== end users ==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060124/acb3e8f0/attachment.pgp>