On Sun, 3 Nov 2002 23:46:58 +1100 "Tarun Bhushan" <[EMAIL PROTECTED]> wrote:
> Hello > > I am setting up a FreeRadius server (currently installed snapshot from > October 30, 2002). I would be grateful if someone could assist with a > means to do the following (sorry for the long-ish post): > > The Radius server would be used to authenticate administrators (of the > Radius server itself and two firewalls), as well as users of the > firewalls. The administrators would be authenticated via the Linux system > on which the Radius server runs (Auth-Type = System). Authentication for > the firewall users will be proxied to another external Radius server > (administered by others). IP addresses cannot be used as a means of > differentiating between administrators and users as they access resources > from the same subnets(dial-up, VPN or LAN) and the addresses are dynamic. > > The question is - how do I prevent a successful "user" login from being > misused to make attempts to access the firewall administration interface? > As IP address cannot be used to distinguish between the types of users, > how do I prevent a user from successfully authenticating via the > (proxied, other) Radius server and then attempting to do firewall > administration, as opposed to an administrator successfully > authenticating via the local (system) Radius server? In both cases, the > Radius "client" is the firewall itself. > > In case the problem is not clear, I will describe it via examples: > > 1. Administrator "A" wants to administer firewall 192.168.12.5 and > connects to it (SSH). The firewall asks "A" for usercode/password which > is supplied. As the firewall is configured to authenticate via the Radius > server on the Linux box at 192.168.12.10, it sends off the Radius request > to it. Successful authentication occurs via the Radius server accessing > the local"A" account on the Linux /etc/passwd. > 2. User "B" decides to attempt to access the firewall SSH and attempts a > connection to 192.168.12.5. The firewall asks "B" for usercode/password > which is supplied. As the firewall is configured to authenticate via the > Radius server on the Linux box at 192.168.12.10, it sends off the Radius > request to it. "B" is not in the Linux /etc/passwd file, but is proxied > to the external Radius server due to a "DEFAULT" in the 'users' file. > Successful authentication occurs and "B" thus gets access to the > firewall. > > The answer may well be a trivial one - however, I do not have enough > experience with FreeRadius and cannot think of a way of preventing "B". > > Thanks > > Tarun You should be able to do what you want by configuring pam to only accept certain groups of users to local login. This is not something you need to configure in radius, but rather on your local system. Your current configuration seems quite dodgey.. You could also configure ssh to only accept a cetain group in sshd_config. Either way you need to setup your "firewall" correctly.. Mail me back if you need more help with this. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc
msg10687/pgp00000.pgp
Description: PGP signature
