NAS login class to RADIUS authenticated ldap users
Alan DeKok
aland at deployingradius.com
Sun Jun 25 14:41:17 CEST 2017
On Jun 25, 2017, at 1:10 AM, Darrain Waters <dwaters at bioteam.net> wrote:
> I would like to map the group "admins" in the ldap directory, to the
> super-user account "admin-su" on a Juniper NAS. Likewise, map a directory
> group "net-ro" to the read-only account "admin-ro" on a juniper nas.
OK.
> When a user attempts to log into a nas with ldap account, the request goes
> to radius which looks up the user group membership & password. If the ldap
> user belongs to group "admins" in the ldap directory, the user is granted
> super-user rights via admin-su account on the juniper nas. If a user
> attempts juniper nas login, and belongs to ldap "net-ro" group they are
> given "admin-ro" read-only access to the juniper nas.
That's clearer. So write that down as a series of statements and if / then / else checks:
* when a user logs into the NAS, they do so with a name X, and password Y
* that information is sent to FreeRADIUS in an Access-Request
* FreeRADIUS checks to see if that name / password is OK, and rejects them
if it's not OK.
* if they are accepted, FreeRADIUS looks up their group information in LDAP
* if they are in LDAP group "admins", FreeRADIUS should respond with
Juniper-Local-User-Name = "admin-us"
* else if they are in LDAP group "net-ro", FreeRADIUS should respond with
Juniper-Local-User-Name = "admin-ro"
Then, implement it piece by piece. Get LDAP authentication working. Then, get LDAP group checking working. That's done via the LDAP-Group attribute...
You'll want to put the Juniper-Local-User-Name into the "post-auth" section, as that is run only after a user is authenticated.
if (LDAP-Group == admins) {
update reply {
Juniper-Local-User-Name := "admin-us"
}
}
You'll see that once you get the problem stated clearly, you can map that pretty directly into the FreeRADIUS configuration.
Alan DeKok.
More information about the Freeradius-Users
mailing list