Freeradius/Netscreen help [SEC=UNCLASSIFIED]

Ranner, Frank MR Frank.Ranner at defence.gov.au
Mon Apr 21 03:13:59 CEST 2008


UNCLASSIFIED

> -----Original Message-----
> From: 
> freeradius-users-bounces+frank.ranner=defence.gov.au at lists.fre
eradius.org [mailto:freeradius-users->
bounces+frank.ranner=defence.gov.au at lists.freeradius.org] On 
> Behalf Of Mario Carassale
> Sent: Saturday, 19 April 2008 00:49
> To: freeradius-users at lists.freeradius.org
> Subject: Freeradius/Netscreen help
> 
> Hi All
> 
> i am new to this list, so please understand my funny question :-)
> 
> I have freeradius running fine and i want to authenticate a netscreen 
> firewall against it. My question is, how can i get user privileges 
> from the radius when a user logs into the firewall?
> 
> If a set on the firewall to get get privilege from the RADIUS server, 
> the login fails, i suppose this is due to not admin provileges.
> 
> Thank you for all your help.
> 
> Mario
> 

There are a couple of things you need for netscreens.

1.  The netscreen dictionary. You should find one in the nescreen doco,
but failing that here is the one I use:
------------Start----------------
# -*- text -*-
#
#       From:
#
http://www.netscreen.com/support/downloads/4.0_configuring_screenOS_for_
NTdomain_v11.pdf
#

VENDOR          Netscreen                       3224

BEGIN-VENDOR    Netscreen

ATTRIBUTE       NS-Admin-Privilege                      1       integer
ATTRIBUTE       NS-VSYS-Name                            2       string
ATTRIBUTE       NS-User-Group                           3       string
ATTRIBUTE       NS-Primary-DNS                          4       ipaddr
ATTRIBUTE       NS-Secondary-DNS                        5       ipaddr
ATTRIBUTE       NS-Primary-WINS                         6       ipaddr
ATTRIBUTE       NS-Secondary-WINS                       7       ipaddr

ATTRIBUTE       NS-NSM-User-Domain-Name                 220     string
ATTRIBUTE       NS-NSM-User-Role-Mapping                221     string

#
#  Values VSYS-Admin and Read-Only-VSYS-Admin require a NS-VSYS-Name #
attribute in the response packet.
#
VALUE   NS-Admin-Privilege              Root-Admin              1
VALUE   NS-Admin-Privilege              All-VSYS-Root-Admin     2
VALUE   NS-Admin-Privilege              VSYS-Admin              3
VALUE   NS-Admin-Privilege              Read-Only-Admin         4
VALUE   NS-Admin-Privilege              Read-Only-VSYS-Admin    5

END-VENDOR      Netscreen
-----------Finish-------
Put the text into dictionary.netscreen and add a line $INCLUDE
dictionary.netscreen

in share/freeradius/dictionary

2. you need to return some attributes depending on the access level.
In raddb/users:

DEFAULT Ldap-Group == `%{Huntgroup-Name}_RWA`
        NS-Admin-Privilege := Root-Admin,
        NS-NSM-User-Domain-Name = global,
        NS-NSM-User-Role-Mapping = "global:Domain Administrator"

DEFAULT Ldap-Group == `%{Huntgroup-Name}_RO`
        NS-Admin-Privilege := Read-Only-Admin,
        NS-NSM-User-Domain-Name = global,
        NS-NSM-User-Role-Mapping = "global:Read-Only Domain
Administrator"

DEFAULT Ldap-Group == `%{Huntgroup-Name}_RDA`
        NS-Admin-Privilege := Root-Admin,
        NS-NSM-User-Domain-Name = global,
        NS-NSM-User-Role-Mapping = "global:Restricted Device
Administrator"

Obviously your check criteria will need to be adjusted toy your
requirements, but the return attributes should get you started. You can
set up all kinds of domains and classes of users in the netscreen, and
match them to users as above.

3.  Ensure that the password length is sufficient. There is a defined
minimum length in the netscreen Software. I think it may be 9 chars but
check with your doco.

Hope this helps,

Frank Ranner




More information about the Freeradius-Users mailing list