Freeradius/Netscreen help [SEC=UNCLASSIFIED]
Ranner, Frank MR
Frank.Ranner at defence.gov.au
Mon Apr 21 03:13:59 CEST 2008
UNCLASSIFIED
> -----Original Message-----
> From:
> freeradius-users-bounces+frank.ranner=defence.gov.au at lists.fre
eradius.org [mailto:freeradius-users->
bounces+frank.ranner=defence.gov.au at lists.freeradius.org] On
> Behalf Of Mario Carassale
> Sent: Saturday, 19 April 2008 00:49
> To: freeradius-users at lists.freeradius.org
> Subject: Freeradius/Netscreen help
>
> Hi All
>
> i am new to this list, so please understand my funny question :-)
>
> I have freeradius running fine and i want to authenticate a netscreen
> firewall against it. My question is, how can i get user privileges
> from the radius when a user logs into the firewall?
>
> If a set on the firewall to get get privilege from the RADIUS server,
> the login fails, i suppose this is due to not admin provileges.
>
> Thank you for all your help.
>
> Mario
>
There are a couple of things you need for netscreens.
1. The netscreen dictionary. You should find one in the nescreen doco,
but failing that here is the one I use:
------------Start----------------
# -*- text -*-
#
# From:
#
http://www.netscreen.com/support/downloads/4.0_configuring_screenOS_for_
NTdomain_v11.pdf
#
VENDOR Netscreen 3224
BEGIN-VENDOR Netscreen
ATTRIBUTE NS-Admin-Privilege 1 integer
ATTRIBUTE NS-VSYS-Name 2 string
ATTRIBUTE NS-User-Group 3 string
ATTRIBUTE NS-Primary-DNS 4 ipaddr
ATTRIBUTE NS-Secondary-DNS 5 ipaddr
ATTRIBUTE NS-Primary-WINS 6 ipaddr
ATTRIBUTE NS-Secondary-WINS 7 ipaddr
ATTRIBUTE NS-NSM-User-Domain-Name 220 string
ATTRIBUTE NS-NSM-User-Role-Mapping 221 string
#
# Values VSYS-Admin and Read-Only-VSYS-Admin require a NS-VSYS-Name #
attribute in the response packet.
#
VALUE NS-Admin-Privilege Root-Admin 1
VALUE NS-Admin-Privilege All-VSYS-Root-Admin 2
VALUE NS-Admin-Privilege VSYS-Admin 3
VALUE NS-Admin-Privilege Read-Only-Admin 4
VALUE NS-Admin-Privilege Read-Only-VSYS-Admin 5
END-VENDOR Netscreen
-----------Finish-------
Put the text into dictionary.netscreen and add a line $INCLUDE
dictionary.netscreen
in share/freeradius/dictionary
2. you need to return some attributes depending on the access level.
In raddb/users:
DEFAULT Ldap-Group == `%{Huntgroup-Name}_RWA`
NS-Admin-Privilege := Root-Admin,
NS-NSM-User-Domain-Name = global,
NS-NSM-User-Role-Mapping = "global:Domain Administrator"
DEFAULT Ldap-Group == `%{Huntgroup-Name}_RO`
NS-Admin-Privilege := Read-Only-Admin,
NS-NSM-User-Domain-Name = global,
NS-NSM-User-Role-Mapping = "global:Read-Only Domain
Administrator"
DEFAULT Ldap-Group == `%{Huntgroup-Name}_RDA`
NS-Admin-Privilege := Root-Admin,
NS-NSM-User-Domain-Name = global,
NS-NSM-User-Role-Mapping = "global:Restricted Device
Administrator"
Obviously your check criteria will need to be adjusted toy your
requirements, but the return attributes should get you started. You can
set up all kinds of domains and classes of users in the netscreen, and
match them to users as above.
3. Ensure that the password length is sufficient. There is a defined
minimum length in the netscreen Software. I think it may be 9 chars but
check with your doco.
Hope this helps,
Frank Ranner
More information about the Freeradius-Users
mailing list