Can't append attributes to the Access-Accept relayed from the proxy home-server to the clients

Alan DeKok aland at deployingradius.com
Mon Jun 1 23:09:39 CEST 2020


On Jun 1, 2020, at 3:12 PM, Difan Zhao <Difan.Zhao at pason.com> wrote:
> 
> I am setting up a freeradius (ver 3.0.16) server on a ubundu 18.04 box and I will use it to authenticate admin access to the networking devices for the mgmt purpose. It doesn't store user passwords locally. It will proxy the authentication requests to a Windows NPS (also running the radius service) that has access to the Windows AD for the user credentials. The idea is that, this freeradius server would append the VSAs for users upon successful authentication to give them the adequate access on the switches, routers, firewalls, ...etc
> 
> So I am able to proxy the authentication request to the NPS and I am getting Access-accept back. I am able to get the proper access to my firewall by sending the VSAs but only if I use local accounts. However, I just can't combine them together.
> 
> Here is my authorize file

  We don't need to see configuration files.  Read http://wiki.freeradius.org/list-help

> Here is my -X output. The NPS does MFA so the response is a little slow because I need to click on "approve" on the phone app. I don't see the Access-Accept packet to the client has the Fortinet VSA of "RW" included...

  When the server proxies requests, it uses the reply from the proxy as the default reply to the NAS.  i.e. it deletes any pre-existing reply, and replaces it with the reply from the proxy.

  You will need to add the Fortigate attribute in the "post-auth" section:

post-auth {
	...
	update reply {
		Fortinet-Group-Name := 'RW'
	}
	...
}

  Alan DeKok.




More information about the Freeradius-Users mailing list