How to restrict authorization to members of FreeIPA group

Wed Jul 10 09:35:09 CEST 2019

On 09-07-19 15:05, Alan DeKok wrote:
> On Jul 9, 2019, at 3:01 PM, Kees Bakker via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>> We have a Cisco for VPN and we have FreeIPA for the user administration.
>> What I want is to only allow users in a FreeIPA group to connect to the VPN.
>> Notice that, as far as FreeRADIUS is concerned FreeIPA is just an LDAP
>> server.
>    That's good.
>
>> So far I am able to connect the radius server to our FreeIPA server. Using
>> the radtest command I can see that authentication works. (I'm not sure
>> about authorization, though.)
>    RADIUS uses one packet for authentication and authorization.
>
>> The Cisco is configured and FreeIPA users can connect to the VPN. However, I
>> haven't figured out how to restrict VPN to only users from a specific group.
>>
>> Which configuration file do I need to adapt? Where should I be looking?
>    You need to check LDAP groups.  See sites-available/default
>
>    In the "post-auth" section, add:
>
> 	if (LDAP-Group == "groupname") {
> 		update reply {
> 			Tunnel-Type := VLAN
> 			Tunnel-Medium-Type := IEEE-802
> 			Tunnel-Private-Group-ID := "vlan name"
> 		}
> 	}
>

Thanks for this example.
Meanwhile we have found another suggestion which seems
to be working. But it remains magic.

In sites-available/default we have this

authorize {
...
         ldap
         if ((ok || updated) && User-Password) {
                 update {
                         control:Auth-Type := ldap
                 }
         }
         group_authorization
...

In mods-config/preprocess/huntgroups we defined a new
huntgroup

ourgw            NAS-IP-Address == 172.16.16.1

In a new file policy.d/group_authorization we have

#---------------------------------------------------------------------------------------
group_authorization {
    if (&Huntgroup-Name == "ourgw") {
      if (&LDAP-Group[*] == "cn=vpn_users,cn=groups,cn=accounts,$SUFFIX") {
        ok
      }
      else {
        update reply {
          &Reply-Message := "Not authorized for VPN"
        }
        reject
      }
    }
    else {
       update reply {
         &Reply-Message := "Not authorized for unknown huntgroup"
       }
       reject
    }
}
#---------------------------------------------------------------------------------------

This is working for us. But I must say that we don't know if the rejects
in the else parts are correct. We do have a problem that the Cisco does
not look at its local users anymore (if the radius server is present).
-- 
Kees