Can't append attributes to the Access-Accept relayed from the proxy home-server to the clients

Mon Jun 1 23:35:51 CEST 2020

Thanks Alan! It works!

Is there anyway to do this with the authorize file or even with the MariaDB? I have users that will have different level of access, and they access different devices. For example, some need to access the Cisco, but not the FortiGate. I was hoping to create groups in the MariaDB like Fortinet-RW, Cisco-RW, ...etc, each with required VSAs in the radgroupreply table. I know that I probably can go with conditions in your config but it would be very convenient if there is a more managed approach.

Thanks!
Difan

-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+difan.zhao=pason.com at lists.freeradius.org> On Behalf Of Alan DeKok
Sent: June 1, 2020 3:10 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: Can't append attributes to the Access-Accept relayed from the proxy home-server to the clients

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

On Jun 1, 2020, at 3:12 PM, Difan Zhao <Difan.Zhao at pason.com> wrote:
>
> I am setting up a freeradius (ver 3.0.16) server on a ubundu 18.04 box and I will use it to authenticate admin access to the networking devices for the mgmt purpose. It doesn't store user passwords locally. It will proxy the authentication requests to a Windows NPS (also running the radius service) that has access to the Windows AD for the user credentials. The idea is that, this freeradius server would append the VSAs for users upon successful authentication to give them the adequate access on the switches, routers, firewalls, ...etc
>
> So I am able to proxy the authentication request to the NPS and I am getting Access-accept back. I am able to get the proper access to my firewall by sending the VSAs but only if I use local accounts. However, I just can't combine them together.
>
> Here is my authorize file

  We don't need to see configuration files.  Read http://wiki.freeradius.org/list-help

> Here is my -X output. The NPS does MFA so the response is a little slow because I need to click on "approve" on the phone app. I don't see the Access-Accept packet to the client has the Fortinet VSA of "RW" included...

  When the server proxies requests, it uses the reply from the proxy as the default reply to the NAS.  i.e. it deletes any pre-existing reply, and replaces it with the reply from the proxy.

  You will need to add the Fortigate attribute in the "post-auth" section:

post-auth {
        ...
        update reply {
                Fortinet-Group-Name := 'RW'
        }
        ...
}

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html