Restricting certain users access to certain NAS devices

Whitmarsh Mark (Leeds Teaching Hospitals NHS Trust) mark.whitmarsh at nhs.net
Wed Jun 2 18:44:51 CEST 2010


Thanks Alan. I've got that bit working now.
However, I can't get my check on the NAS-IP-Address attribute to work.

I now have this config:

File dictionary
ATTRIBUTE       User_Group_Name         3003    string
ATTRIBUTE       Nas_Group_Name          3004    string

File modules/etc_group
passwd etc_group {
        filename = /etc/raddb/lth_group
        format = "~User_Group_Name:*,User-Name"
        hashsize = 50
        ignorenislike = no
        allowmultiplekeys = yes
        delimiter = ":"
}

File modules/nas_group
passwd nas_group {
        filename = /etc/raddb/nas_group
        format = "~Nas_Group_Name:*,NAS-IP-Address"
        hashsize = 50
        ignorenislike = no
        allowmultiplekeys = yes
        delimiter = ":"
}


File lth_group
path_group:user1,user2,user3,user4
comms_group:superuser1,superuser2,superuser3,superuser4

File nas_group
path_nas_group:xxx.xxx.225.59,xxx.xxx.104.10
comms_nas_group:xxx.xxx.225.60

File sites-enabled/default - post-auth section

        etc_group
        nas_group
        exec
        #if ("%{NAS-IP-Address}" == xxx.xxx.225.59) {
        #       update reply {
        #               Reply-Message := "Mark Whitmarsh not allowed here"
        #       }
        #       reject
        #}
        if ("%{User_Group_Name}" == path_group) {
                if ("%{Nas_Group_Name}" != path_nas_group) {
                        update reply {
                                Reply-Message := "Pathology not allowed here"
                        }
                        reject
                }
        }
        Post-Auth-Type REJECT {
                attr_filter.access_reject
        }


In debug nas_group always returns notfound. If I change the nas_group module to use Calling-Station-Id for example then it successfully returns my IP address (xxx.xxx.104.10).
Is it because NAS-IP-Address is type ipaddr that it doesn't find it in the nas_group file?

Mark.

________________________________________
From: freeradius-users-bounces+mark.whitmarsh=nhs.net at lists.freeradius.org [freeradius-users-bounces+mark.whitmarsh=nhs.net at lists.freeradius.org] On Behalf Of Alan DeKok [aland at deployingradius.com]
Sent: 27 May 2010 17:02
To: FreeRadius users mailing list
Subject: Re: Restricting certain users access to certain NAS devices

Whitmarsh Mark (Leeds Teaching Hospitals NHS Trust) wrote:
> Sorry, I should have mentioned I already tried man rlm_passwd and couldn't figure it out.
> I've been through it again and have made the following changes:
>
> 1. created a file /etc/raddb/path_group
> path_group:user1,user2,user3,user4,user5
>
> 2. Added the following to /etc/raddb/dictionary
> ATTRIBUTE       User_Group_Name         3003    string
>
> 3. Added to modules/passwd
> filename = /etc/raddb/path_group
> hashsize = 20
> allowmultiplekeys = yes
> format = "~User_Group_Name:*,User-Name"
>
> 4. Also edited modules/etc_group because I couldn't make out which file to put these items in
> passwd etc_group {
>         filename = /etc/raddb/path_group
>         format = "~User_Group_Name:*,User-Name"
>         hashsize = 50
>         ignorenislike = no
>         allowmultiplekeys = yes
>         delimiter = ":"
> }
>
> 5. Inserted this into the post-auth section of sites-enabled/default
>
> if ("%{User_Group_Name}" == path_group) {

  You should list "etc_group" in the post-auth section.  The module will
be loaded, and will add the User_Group_Name attribute.

> Debug output is:

  Which shows that the etc_group module isn't used when a packet is
received.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

********************************************************************************************************************

This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in reliance on its contents:
to do so is strictly prohibited and may be unlawful.

Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS staff in England and Scotland
NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and GSI recipients
NHSmail provides an email address for your career in the NHS and can be accessed anywhere
For more information and to find out how you can switch, visit www.connectingforhealth.nhs.uk/nhsmail

********************************************************************************************************************





More information about the Freeradius-Users mailing list