Hello I am setting up a FreeRadius server (currently installed snapshot from October 30, 2002). I would be grateful if someone could assist with a means to do the following (sorry for the long-ish post):
The Radius server would be used to authenticate administrators (of the Radius server itself and two firewalls), as well as users of the firewalls. The administrators would be authenticated via the Linux system on which the Radius server runs (Auth-Type = System). Authentication for the firewall users will be proxied to another external Radius server (administered by others). IP addresses cannot be used as a means of differentiating between administrators and users as they access resources from the same subnets (dial-up, VPN or LAN) and the addresses are dynamic. The question is - how do I prevent a successful "user" login from being misused to make attempts to access the firewall administration interface? As IP address cannot be used to distinguish between the types of users, how do I prevent a user from successfully authenticating via the (proxied, other) Radius server and then attempting to do firewall administration, as opposed to an administrator successfully authenticating via the local (system) Radius server? In both cases, the Radius "client" is the firewall itself. In case the problem is not clear, I will describe it via examples: 1. Administrator "A" wants to administer firewall 192.168.12.5 and connects to it (SSH). The firewall asks "A" for usercode/password which is supplied. As the firewall is configured to authenticate via the Radius server on the Linux box at 192.168.12.10, it sends off the Radius request to it. Successful authentication occurs via the Radius server accessing the local "A" account on the Linux /etc/passwd. 2. User "B" decides to attempt to access the firewall SSH and attempts a connection to 192.168.12.5. The firewall asks "B" for usercode/password which is supplied. As the firewall is configured to authenticate via the Radius server on the Linux box at 192.168.12.10, it sends off the Radius request to it. "B" is not in the Linux /etc/passwd file, but is proxied to the external Radius server due to a "DEFAULT" in the 'users' file. Successful authentication occurs and "B" thus gets access to the firewall. The answer may well be a trivial one - however, I do not have enough experience with FreeRadius and cannot think of a way of preventing "B". Thanks Tarun - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
