Two-Step LDAP authentication?
Alexander Clouter
alex at digriz.org.uk
Thu Sep 16 15:02:54 CEST 2010
In article <BAY154-w6AE2B5874B5015E85E875C07A0 at phx.gbl> you wrote:
>
> I'm a new subcriber of this list. I'm trying to setup a radius server
> with LDAP authentication; I've managed to authenticate a user (from a
> Cisco Device), but my fellows from Security Department think that we
> should have a two-step authentication:
>
Ask your security folk for *today* a list of people who may only
administrator one selection of devices and not the other. If they
actually do not use the facility then it is a waste of time implementing
it (it is easy enough to implement later on); I get the impression this
is a "not needed but would be nice if this could be done". :)
Far more appropriate is to configure the switches to all log to a central
syslog server (so you know who and when someone logged in and out) and
configure something like RANCID to record the configuration changes.
...anyway, onto the problem.
> 1. User/password authentication, searching in
> cn=users,ou=pepe,ou=jose,c=es
>
> 2. A compare request, searching a specific objectclass in the LDAP
> tree.
>
> So, the idea is the following one: depending on the NAS-IP-Address,
> not only to check for a correct password, but search the uid in an
> objectclass called owner in the entry cn=deviceX,ou=pepe,ou=jose,c=es.
>
> deviceX is the one with the source NAS-IP-Address. I Know how to
> unlang using swicht statements, configuring differents ldap's modules
> in the radius server, so I can write the basedn I want.
>
> But how can do the step 2?
>
The easiest approach is to create LDAP groups based on the
NAS-IP-Address and then test to see if the user is a member of the group
'%{NAS-IP-Address}'. Once you create the LDAP groups and make the users
members of them you can use unlang in your 'authorize' section in a
manner like:
authorize {
....
ldap
if (Ldap-Group != "%{NAS-IP-Address}") {
update reply {
Reply-Message := "no way kiddo"
}
reject
}
,,,,
}
This is off the top of my head but should give you what you are looking
for; you will see in the output of 'freeradius -X' it doing what you
roughly need. The only problem I can see with it is that if you have a
lot of switches to log into, the number of groups you have to add a user
to becomes a real tedious process; this problem could be solved by using
something like the following instead:
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg59481.html
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg62699.html
Cheers
--
Alexander Clouter
.sigmonster says: I hate quotations.
-- Ralph Waldo Emerson
More information about the Freeradius-Users
mailing list