how to organize groups of users getting access to groups of servers

Alan DeKok aland at deployingradius.com
Tue Mar 25 20:44:37 CET 2014 

Jan-Frode Myklebust wrote:
> I want to use freeradius to authenticate different groups of users (from
> LDAP) to sets of network devices, potentially with different access
> levels, but have a bit hard time understanding how this is supposed to
> be configured. Would be nice with some advice..

  Write out the rules in plain english.  Then, translate them into
"unlang".  The translation is fairly direct.

> What I have so far is:
> 
> # Give ldap group "firewall" super-user privilege on juniper firewalls:
> DEFAULT Ldap-Group == "cn=firewall,cn=groups,cn=accounts,dc=example,dc=com"
> 	Auth-Type := LDAP
> 	Juniper-Local-User-Name := "super-users",
> 
> # Give ldap group "netadmin" "enable" access on cisco routers:
> DEFAULT Ldap-Group == "cn=netadmin,cn=groups,cn=accounts,dc=example,dc=com"
> 	Auth-Type := LDAP
> 	cisco-avpair = "shell:priv-lvl=15"
> 
> But this doesn't work for users that are member of both groups, so 
> I need to say that the first rule is limited to a set of juniper
> devices, and the second is limited to a set of cisco devices.

  Yes, the two rules don't check which client device is being used.
They also don't check if the user is *asking* for administrator privilege.

> What's the strategy we should use for expressing this? Is it possible
> without having to specify one rule for each NAS-IP-Address? I.e. being
> able to do some kind og grouping of clients to match on would be very
> helpful..

  Add a 'type' for each client:

  client foo {
	ipaddr = x
	secret = type
	...
	type = juniper
  }

  Then use "unlang":

	if ("%{client:type}" == "juniper") {
		// check if the user is ASKING for admin access
		if (LDAP-Group != cn=firewall,cn=groups,cn=accounts,dc=example,dc=com) {
			reject
		}

		update control {
			Auth-Type := LDAP
		}

		update reply {
			Juniper-Local-User-Name := "super-users"
		}
	}


  And you probably don't want to force "Auth-Type := LDAP".  Just list
"ldap" in the "authorize" section.

  Alan DeKok.

More information about the Freeradius-Users mailing list