No subject

D C dc12078 at gmail.com
Fri Jul 24 14:02:08 CEST 2015


I recently configured a radius server with openldap backend to handle
central auth for all my network equipment.  The ldap module is using
"radiusGroupName" as my groupmembership_attribute.

I've configured post-auth  and the users file in such a way that I can log
into devices with my ldap credentials ONLY if I am a member of one of 2
groups.  My reply-item attributes are stored in ldap within the group, and
all that is working great.  Valid users who are not members of these
defined groups get rejected.  perfect.

Now the tricky part.  I have a third ldap group that i want to use in order
to assign vpn access to people. so some users may be members of only the
vpn group, and some maybe members of the superadmin group as well as the
vpn group.  This causes two problems.

1) If I add allow the vpn group, then vpn users will be able to login to
network equipment which is definitely not desired.

2) I don't currently have any way to determine within radius if a user is
trying to login to the vpn, or if they are trying to ssh to my firewall.


I'm not really sure what I should do to work around this.  My only idea
I've come up with (which I don't like), is to have my firewall set a
different NAS-ip for the vpn users.  If that is different, then I imagine I
can probably write some login in post-auth to handle it.  Is there a better
way to do this.


The radius configuration on my firewall will let me set the nas-ip,
auth-type, which source ip to communicate with, and which destination port
the radius server is listening on.  I've not yet looked into how the
virtual servers work in radius, so maybe I can setup a different port and
config for my vpn users to auth against..


Using FreeRadius 2.1.12.


More information about the Freeradius-Users mailing list