"Tarun Bhushan" <[EMAIL PROTECTED]> wrote: > The question is - how do I prevent a successful "user" login from being > misused to make attempts to access the firewall administration interface?
The answer is you either distinguish users by IP address of the RADIUS client, or by something in the RADIUS packet (usually a realm in the user name). > As IP address cannot be used to distinguish between the types of > users, Why? You said: > IP addresses cannot be used as a means of differentiating between > administrators and users as they access resources from the same subnets > (dial-up, VPN or LAN) and the addresses are dynamic. So your firewall has a dynamic IP? Your dial-in users are on the same subnet as your LAN users? This is bad network design. Users should generally be segregated into different networks, as it makes ALL of your network configuration easier. > how do I prevent a user from successfully authenticating via the > (proxied, other) Radius server and then attempting to do firewall > administration, as opposed to an administrator successfully > authenticating via the local (system) Radius server? In both cases, > the Radius "client" is the firewall itself. The firewall knows the difference between local users and remote ones. So it can send packets with two different contents. If all else fails, it can re-write the usernames before putting them in the packet, like "user@admin", or "user@vpn". > 1. Administrator "A" wants to administer firewall 192.168.12.5 and connects > to it (SSH). The firewall asks "A" for usercode/password which is supplied. > As the firewall is configured to authenticate via the Radius server on the > Linux box at 192.168.12.10, How? You haven't said that part. > The answer may well be a trivial one - however, I do not have enough > experience with FreeRadius and cannot think of a way of preventing "B". The answer appears to be that your firewall is set up wrong. Do you *really* allow users to log in to your firewall via SSH? This is *very* bad from a security point of view. You probably want to set up a TCP relay on the firewall, and proxy SSH to another machine. You can then set up SSH on the firewall on a non-standard port, and allow only administrators to log in to the firewall directly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
