BASIC question, but still having conceptual issues
Gary Gatten
Ggatten at waddell.com
Wed Aug 26 23:35:13 CEST 2009
$hit - I just remembered.
Eventually the Type 1 devices, specifically network switches, will be
doing two different types of auth: vty access for admins only and 802.1x
auth for all users! So, I can't process simply on NAS IP alone. I'm
assuming there will be some diffs in the request packets sent to FR for
vty, dot1x, etc. - but haven't got that far yet.
I know when I get this figured out it will be SO simple and I'll feel
like even a bigger dumb-a$$ than I do already, but at least I'll be a
less busy dumb-a$$! :)
TIA
Gary
-----Original Message-----
From: Gary Gatten
Sent: Wednesday, August 26, 2009 3:58 PM
To: 'FreeRadius users mailing list'
Subject: BASIC question, but still having conceptual issues
Sorry again for the BASIC question! I *occasionally* slam people on
other lists for being .... well, basically helpless - and here I am
asking what I think is a really stupid question! Humble pie anyone?
Let me take a sec to thank the development team for a very flexible
product! Seems you can do pretty much anything you'd ever need to! Did
Ci$co steal your code for ACS 5.0? :) Once I familiarize myself with
the in's and out's I hope to contribute to the community where I can,
probably with docs, use cases, examples, etc.
Now my current issue. I have read a lot of doc (some 3 and 4 times) and
am close to getting my head around how FR works and the various process
flow, however, I still can't determine the best way to address this
problem:
I have several different type's of clients/NAS's that will be using FR
as the Front End to perform AAA - mostly Authentication, but the Author
and Acct are close behind.
Anyway, each of these clients need to perform slightly different backend
queries to determine if Authenticate should pass or fail:
Type 1: Networking Hardware Management Access (VTY)
- Routers, switches, VPN concentrators, firewalls, etc.
- Auth pass if creds are good AND user is member of NetEng group
in AD; else fail
Type 2: IPSec VPN Access
- RAS to HQ via IPSec (Ci$c0 ASA at HQ)
- Several profiles/groups will exist on ASA with different
properties:
- NetEng, SysAdmins, Basic Users, etc.
- Auth pass if creds are good AND user is member of "RAS" group
in AD
Type 3 ... etc.
So, how do I go about this? I'm currently using NTLM_Auth and that's
all working fine, I'm just not sure how to say in FR config: if request
of type 1, run this NTLM_Auth command and check for this group; If
request of type 2 run this other NTLM_Auth command and check for this
other group.
Would this be something in the huntgroup file?
TIA for replies - back to more reading and trials for me!
Gary
<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>
More information about the Freeradius-Users
mailing list