separating Users?

David Mitchell mitchell at ucar.edu
Mon Nov 30 21:27:00 CET 2009 

freeradius at corwyn.net wrote:
> 
> 
> 
> There's a piece of RADIUS that I'm not understanding.
> 
> If I have an entry in my ./users file
> DEFAULT         Auth-Type:=Accept,Ldap-Group == "Group1"
>                
> Service-Type=NAS-Prompt-User,cisco-avpair="shell:priv-lvl=15"
> 
> And another entry
> DEFAULT         Auth-Type:=Accept,Ldap-Group == "Group2"
>                
> Service-Type=NAS-Prompt-User,cisco-avpair="shell:priv-lvl=15"
> 
> where I'm trying to authorize users in Group1 for one set of switches,
> and users in Group2 for another set of switches, how does freeradius
> know which is which?

You want something like this in huntgroups. It will assign the huntgroup
based on the value of NAS-IP-Address.
cisco		NAS-IP-Address == 10.0.0.1
cisco		NAS-IP-Address == 10.0.0.2


And then in your users file:
DEFAULT Ldap-Group == cisco-admin, Huntgroup-Name == cisco
	Service-Type := Administrative-User,
	Reply-Message := "Authorized Users Only"
DEFAULT Ldap-Group == cisco-user, Huntgroup-Name == cisco
	Service-Type := NAS-Prompt-User,
	Reply-Message := "Authorized Users Only"

This gives the different classes of users different levels of access to
the same devices. It should be clear though how to make it do what you want.

I see several potential problems in your config.

1) Don't specify the Auth-Type. You still want to check the password I
assume. I think your config will let in any user who is in group
"Group1" irrespective of the supplied password.

2) You don't specify the requirement to match a huntgroup name. All of
the match clauses should be provided comma separated after DEFAULT.

3) You probably don't want the '=' operator, as it will not replace an
existing entry in the reply. The ':=' will replace an existing entry.
This probably isn't a problem in you case, but I would do it anyway.

4) I never had much luck with that priv-lvl=15 AV pair. I have both
CatOS and IOS devices respecting the Service-Type AV though.

-David Mitchell

> 
> Rick
> 
> 
> 
> 
> Rick Steeves
> http://www.sinister.net
> 
> In reality nothing is more damaging to the adventurous spirit within a
> man than a secure future -  Alexander Supertramp
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


-- 
-----------------------------------------------------------------
| David Mitchell (mitchell at ucar.edu)       Network Engineer IV  |
| Tel: (303) 497-1845                      National Center for  |
| FAX: (303) 497-1818                      Atmospheric Research |
-----------------------------------------------------------------

More information about the Freeradius-Users mailing list