Freeradius privilege separation

Michał Dopierała michu162 at gmail.com
Fri May 14 16:47:55 CEST 2010


Thanks for response!

So, users file can look like this:
========================users=====================================

 mdopierala     Packet-Src-IP-Address == 192.168.1.1, Crypt-Password =
"some_hash"
                Service-Type = "Administrative-User",
                Cisco-AVPair="shell:priv-lvl=15",
                Brocade-Auth-Role ="Administrator"

 mdopierala     Packet-Src-IP-Address == 192.168.1.2, Crypt-Password =
"some_hash2"
                Service-Type = "Administrative-User",
                Cisco-AVPair="shell:priv-lvl=1",
                Brocade-Auth-Role ="Administrator"

=====================================================================

This way user mdopierala will have priv-lvl=15 to router1 and priv-lvl=1 to
router2?
I have a lot of users and clients in my environment(a lot of
network equipments and administrators).  Can I make any groups of this users
and clients and then make policies to this groups? This way I could add new
users to this groups apart from making separate policies.
Unfortunately I work on producing environment and I can't make as many test
as I wish.

2010/5/14 Alan DeKok <aland at deployingradius.com>

> Michał Dopierała wrote:
> > It is possible in freeradius to have one user who has full privilege
> > level to one equipment (one cisco router privilege lvl15), and limited
> > privilege level to other equipment (other router with smaller privilege
> > e.g. lvl10 which will be configured on router)?
>
>   Yes.
>
> > How to separate it?
>
>  How are the requests different?  Use that information to separate the
> policies for the two routers.
>
> > My current configuration of users:
> >
> >  mdopierala      Auth-Type := PAP, Crypt-Password = "passwrd"
>
>   DON'T set Auth-Type.  Honestly.  This should be written in huge
> letters everywhere on all of the documentation.
>
> >                 Service-Type = "Administrative-User",
> >                 Cisco-AVPair="shell:priv-lvl=15",
> >                 Brocade-Auth-Role ="Administrator"
>
>   And it doesn't contain any *conditional* checks for different clients.
>
>  You could do:
>
> mdopierala Packet-Src-IP-Address == 192.168.1.1, Cleartext-Password := ...
>        ...
>
>
>  i.e. check for NAS IP, and return different results based on that.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100514/168f9f69/attachment.html>


More information about the Freeradius-Users mailing list