NAS login class to RADIUS authenticated ldap users

Darrain Waters dwaters at bioteam.net
Sun Jun 25 19:07:43 CEST 2017


Strange things happen when you slow it down and map your thoughts :).
I did have an elsif in the users file that clearly did not work based on
location.

Thanks very much for having a look at my question Alan.

Best

Darrain

On Sun, Jun 25, 2017 at 7:41 AM, Alan DeKok <aland at deployingradius.com>
wrote:

> On Jun 25, 2017, at 1:10 AM, Darrain Waters <dwaters at bioteam.net> wrote:
> > I would like to map the group "admins" in the ldap directory, to the
> > super-user account "admin-su" on a Juniper NAS. Likewise, map a directory
> > group "net-ro" to the read-only account "admin-ro" on a juniper nas.
>
>   OK.
>
> > When a user attempts to log into a nas with ldap account, the request
> goes
> > to radius which looks up the user group membership & password. If the
> ldap
> > user belongs to group "admins" in the ldap directory, the user is granted
> > super-user rights via admin-su account on the juniper nas. If a user
> > attempts juniper nas login, and belongs to ldap "net-ro" group they are
> > given "admin-ro" read-only access to the juniper nas.
>
>   That's clearer.  So write that down as a series of statements and if /
> then / else checks:
>
> * when a user logs into the NAS, they do so with a name X, and password Y
>
> * that information is sent to FreeRADIUS in an Access-Request
>
> * FreeRADIUS checks to see if that name / password is OK, and rejects them
>    if it's not OK.
>
> * if they are accepted, FreeRADIUS looks up their group information in LDAP
>
> * if they are in LDAP group "admins", FreeRADIUS should respond with
>   Juniper-Local-User-Name = "admin-us"
>
> * else if they are in LDAP group "net-ro",  FreeRADIUS should respond with
>    Juniper-Local-User-Name = "admin-ro"
>
>   Then, implement it piece by piece.  Get LDAP authentication working.
> Then, get LDAP group checking working.  That's done via the LDAP-Group
> attribute...
>
>   You'll want to put the Juniper-Local-User-Name into the "post-auth"
> section, as that is run only after a user is authenticated.
>
>         if (LDAP-Group == admins) {
>                 update reply {
>                         Juniper-Local-User-Name := "admin-us"
>                 }
>         }
>
> You'll see that once you get the problem stated clearly, you can map that
> pretty directly into the FreeRADIUS configuration.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>


More information about the Freeradius-Users mailing list