How to restrict users /PAM to specific NAS devices??
Alan DeKok
aland at deployingradius.com
Wed Jan 3 15:58:17 CET 2007
Ellis, Scott 1 (N-Comptel Inc.) wrote:
> Well here is where I am.
>
> I am using PAM.
Yes, you've said that lots. And it has nothing to do with user names,
grouping, or RADIUS client devices. It's completely irrelevant to the
problem at habd.
> All I need to pull all the pieces together is one simple example of what
> has to be done to do the following: user1 and user2 can access devices
> 10.1.1.1, 10.1.1.2, and user3 can access only 10.1.1.3.
> *************
>
> Here is where I am. To turn on rlm_passwd, I think, you have to goto
> radiusd.conf and create a passwd entry say passwd My_group {
> filename = ${raddbdir}/My.group
> format "=Group-Name:*,User-Name"
No, the Group and Group-Name attributes are for Unix groups. The
documentation for rlm_passwd says specifically that you need to create a
different attribute.
> authtype = PAM (I hope I can auth via PAM since that is how my
> security is tailored)
You don't need that line. Delete it.
> Next, you have to add it to the dictionary ... My_group?
No.
> Then, I was thinking I could use the huntgroups and add a entry called
> admin and ops. The huntgroup would include multiple entries
If you're going to use huntgroups, then you don't need to use
rlm_passwd, but you do need extra entries in the "users" file... as
documented in the "huntgroups" file itself.
> huntgroups
>
> admin NAS-IP-Address = 10.1.1.1
> admin NAS-IP-Address = 10.1.1.2
> User-Name = user1,
> User-Name = user2
> ops NAS-IP-Address = 10.1.1.3
> User-Name = user3
You should use the same huntgroup name for them all.
> Finally, if I am at least close, I am not entirely clear how to setup
> the USERS file for
> user1 and user2 and user3.
You don't. As per the documentation in the "huntgroups" file, you can
match a huntgroup by doing:
DEFAULT Huntgroup-Name == "admin"
If you read the FAQ, there is an example of rejecting a user based on
certain criteria. With a little bit of putting the pieces together, the
following should work:
DEFAULT Huntgroup-Name != "admin", Auth-Type := Reject
Which will reject everyone who doesn't match the criteria in the
huntgroups file. If you want something more complicated, you will need
a more complicated configuration.
Part of the issue is that there is no one place which will give you
the exact configuration you need to solve the problem. Instead, the
documentation describes how to solve problems, and it's up to you to put
the pieces together.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
More information about the Freeradius-Users
mailing list