Conditional shell:priv-lvl as login reply on CISCO using client's source net and user's ldap attribute.

Giuseppe Civitella gcivitella at enter.eu
Fri Jan 12 16:33:54 CET 2018


Hi all,

I need to enable some users to login on different groups of CISCO
devices getting different shell:priv-lvl.

I'm trying to group the devices by their ip using a dynamic-clients
template. I'd like to send them to a different virtual server based on
source network of the auth request.

Then I'd like to be able to choose which shell:priv-lvl give them using
LDAP attributes like "o=groupA-shellPriv15" or "o=groupA-shellPriv7".

I'm trying to achieve the first result using a configuration like this one:

client my-dynclient {
        ipaddr = 10.200.20.0/24
        dynamic_clients = my-dynclients
        lifetime = 3600
}

server my-dynclients {

        authorize {

                if
("%{ldap:ldap:///BASEDN?objectClass?one?(radiusClientIdentifier=%{Packet-Src-IP-Address})}")
{
                        update control {
                                &FreeRADIUS-Client-IP-Address =
"%{Packet-Src-IP-Address}"
                                &FreeRADIUS-Client-Shortname =
"%{ldap:ldap:///BASEDN?radiusClientShortname,objectClass?one?(radiusClientIdentifier=%{Packet-Src-IP-Address})}"
                                &FreeRADIUS-Client-Secret =
"%{ldap:ldap:///BASEDN?radiusClientSecret,objectClass?one?(radiusClientIdentifier=%{Packet-Src-IP-Address})}"
                                &FreeRADIUS-Client-Virtual-Server =
"%{ldap:ldap:///BASEDN?radiusClientVirtualServer,objectClass?one?(radiusClientIdentifier=%{Packet-Src-IP-Address})}"
                        }
                }
                ok
        }
}

when trying the login, the if condition succeeds:

Fri Jan 12 16:12:57 2018 : Debug: rlm_ldap (ldap): Bind successful
Fri Jan 12 16:12:57 2018 : Debug: (0)     EXPAND
%{ldap:ldap:///BASEDN?objectClass?one?(radiusClientIdentifier=%{Packet-Src-IP-Address})}
Fri Jan 12 16:12:57 2018 : Debug: (0)        --> radiusClient
Fri Jan 12 16:12:57 2018 : Debug: (0)     if
("%{ldap:ldap:///BASEDN?objectClass?one?(radiusClientIdentifier=%{Packet-Src-IP-Address})}") 
-> TRUE
Fri Jan 12 16:12:57 2018 : Debug: (0)     if
("%{ldap:ldap:///BASEDN?objectClass?one?(radiusClientIdentifier=%{Packet-Src-IP-Address})}") 
{
Fri Jan 12 16:12:57 2018 : Debug: (0)       update control {
Fri Jan 12 16:12:57 2018 : Debug: (0)         EXPAND
%{Packet-Src-IP-Address}
Fri Jan 12 16:12:57 2018 : Debug: (0)            --> 10.200.20.79
Fri Jan 12 16:12:57 2018 : Debug: (0)        
&FreeRADIUS-Client-IP-Address = 10.200.20.79
Fri Jan 12 16:12:57 2018 : ERROR: (0)         Bad attributes list in
LDAP URL. URL must specify exactly one attribute to retrieve

even if I get for the first time: "Bad attributes list in LDAP URL. URL
must specify exactly one attribute to retrieve".

While retrieving  FreeRADIUS-Client-Shortname, FreeRADIUS-Client-Secret
and FreeRADIUS-Client-Virtual-Server I got empty values and the same
error about LDAP URL.

I'm not sure about the debug message, I read that it is not possible to
get just the value you need using an LDAP uri and no further filtering:
am I wrong?


Previously I did try to decide which privilege level send as a
radiusReply by scanning the LDAP in a similar way:

post-auth {

...

        if
("%{ldap:ldap://BASEDN?objectClass?one?(&(o=groupA-shellPriv15)(cn=%{User-Name})}")
{
               update reply {
                       #reply:ReplyAttribute     += 'cisco-avpair =
"shell:priv-lvl=15"'
                       Reply-Message     += "Bingo!!!"
               }
        }


This worked in a setup without dynclients using the Reply-Message and
raised an error while experimenting with the ReplyAttribute.

Do someone have suggestions to realize such a setup?

How much of this is possible to move to LDAP (and then eventually
delegate to a web GUI)?


Best regards,

Giuseppe








More information about the Freeradius-Users mailing list