NAS login class to RADIUS authenticated ldap users
Darrain Waters
dwaters at bioteam.net
Sun Jun 25 07:10:15 CEST 2017
AD: I'm not really sure what that means...
I can see where it is not clear.
AD: Could you describe what you want to do using examples... i.e. what a
user types when they login to the Juniper box, what's in the
Access-Request, and what you want to be in the Access-Accept.
I would like to map the group "admins" in the ldap directory, to the
super-user account "admin-su" on a Juniper NAS. Likewise, map a directory
group "net-ro" to the read-only account "admin-ro" on a juniper nas.
When a user attempts to log into a nas with ldap account, the request goes
to radius which looks up the user group membership & password. If the ldap
user belongs to group "admins" in the ldap directory, the user is granted
super-user rights via admin-su account on the juniper nas. If a user
attempts juniper nas login, and belongs to ldap "net-ro" group they are
given "admin-ro" read-only access to the juniper nas.
I can log into the juniper nas with my ldap user and pass, but the Juniper
has an account known as "remote" that catches all requests. The "remote"
account is unique and only allows 1 type of user access at a time. So, if I
want to grant different users su or ro access to the nas, I can't in this
scenario.
AD: That lets users log in without doing password checks. This is likely
not what you want.
You are right, I do not want to allow user access without a password. I
have removed
DEFAULT LDAP-Group == "admins", Auth-Type := Accept & replaced with DEFAULT
LDAP-Group == "users", Auth-Type := Reject. I did this just to keep regular
users fro being able to access the nas with their ldap user and pass.
AD: Do those instructions work? If so, make small modifications to change
them to do what you want.
The Juniper instructions do not work and are probably old, though they came
from a recently dated post.
Thank you.
Darrain
On Sat, Jun 24, 2017 at 10:05 PM, Alan DeKok <aland at deployingradius.com>
wrote:
> On Jun 24, 2017, at 5:53 PM, Darrain Waters <dwaters at bioteam.net> wrote:
> >
> > I need to map ldap authenticated (389directory) users to juniper nas
> local
> > accounts that all have different access rights. I clearly run the ldap
> > module, and do a group search to verify a user can access based on group.
> > Is it possible to take the group the ldap module finds and map it to a
> same
> > named account on the juniper was ?
>
> I'm not really sure what that means...
>
> > I want to avoid using the remote user id on the juniper nas with the
> access
> > class that I assign, and instead use the different accounts on the
> juniper
> > nas which are different access levels:
> >
> > user-ro
> > user-op
> > user-su
>
> Could you describe what you want to do using examples... i.e. what a
> user types when they login to the Juniper box, what's in the
> Access-Request, and what you want to be in the Access-Accept.
>
> i.e. In order to configure it, you need to know what you want it to do.
> Once your requirements are written down, the solutions are usually pretty
> straightforward.
>
> > I have not messed with the git pulled 3.0.14 config files other than
> ldap,
> > clients.conf and users file. See radiusd -X below for run info. In my
> > users file I have:
> >
> > DEFAULT LDAP-Group == "admins", Auth-Type := Accept
>
> That lets users log in without doing password checks. This is likely
> not what you want.
>
> > Junipers instructions are as follow, which I have tried:
>
> Do those instructions work? If so, make small modifications to change
> them to do what you want.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
More information about the Freeradius-Users
mailing list