How to differentiate between vpn user and appliance user?

Alan DeKok aland at deployingradius.com
Fri Jul 24 16:03:09 CEST 2015 

On Jul 24, 2015, at 8:52 AM, D C <dc12078 at gmail.com> wrote:
>> I've configured post-auth  and the users file in such a way that I can log
>> into devices with my ldap credentials ONLY if I am a member of one of 2
>> groups.  My reply-item attributes are stored in ldap within the group, and
>> all that is working great.  Valid users who are not members of these
>> defined groups get rejected.  perfect.

  That's good.

>> Now the tricky part.  I have a third ldap group that i want to use in
>> order to assign vpn access to people. so some users may be members of only
>> the vpn group, and some maybe members of the superadmin group as well as
>> the vpn group.  This causes two problems.
>> 
>> 1) If I add allow the vpn group, then vpn users will be able to login to
>> network equipment which is definitely not desired.

  Then allow the VPN group only if they're using the VPN services.

  How does the RADIUS server know they're using VPN services?  Run it in debugging mode, and see what the output is.

>> 2) I don't currently have any way to determine within radius if a user is
>> trying to login to the vpn, or if they are trying to ssh to my firewall.

  Read the debug output.  If users login to the VPN and send packet X, and login to the firewall and send packet Y... the two packets are different.  You can key off of those differences to set the different policies.

  If the two packets are identical, then it's *impossible* to run different services.  Because FreeRADIUS can't tell that they're different services.

>> I'm not really sure what I should do to work around this.  My only idea
>> I've come up with (which I don't like), is to have my firewall set a
>> different NAS-ip for the vpn users.  If that is different, then I imagine I
>> can probably write some login in post-auth to handle it.  Is there a better
>> way to do this.

  That's the way to do it.

>> The radius configuration on my firewall will let me set the nas-ip,
>> auth-type, which source ip to communicate with, and which destination port
>> the radius server is listening on.  I've not yet looked into how the
>> virtual servers work in radius, so maybe I can setup a different port and
>> config for my vpn users to auth against..
>> 
>> 
>> Using FreeRadius 2.1.12.

  You should really upgrade...

  Alan DeKok.

More information about the Freeradius-Users mailing list