|
"Mike May"
<[EMAIL PROTECTED]> wrote: > Hello everyone, is it
possible to have NAS entries for a subnet, if so > could someone give me
an example raddb/clients.conf Alan DeKok. -- http://deployingradius.com
- The web site of the book
http://deployingradius.com/blog/
- The blog Thanks for example Alan, I thought it may be helpful for me to provide
you some more information, I am not a Radius expert but have managed to keep a somewhat
large client base using radius. I currently use the clients file to allow
connections, but not to do any real authorization. Example of my clients file
is below, this is only a small section as my radius servers handles modem pool,
vpn, wireless, 802.1x etc and soon wired 802.1x. I use LDAP/ Kerberos as the
authn backend I use huntgroup entries to point to matches in my users file see examples
below. in the users file is where I am using ldaps.conf to connect to the
directory servers, verifying what group the user is in and at the end authn to Kerberos
store. After the authn I set some authz like Cisco-AVPair = "priv-lvl=15” used by Cisco routers
and switches for network engineers who live in the proper LDAP group, here is
where the problem is. PIX firewalls do not like me setting the priv lvl, and
the reason is that the PIX will only accept authz from a tacacs server(it seems
like). What I need to do is specify a “netauth” ==
NAS-IP-ADDRESS 192.168.20.0/23 subnet. Instead of “netauth”
== NAS-IP-ADDRESS 192.168.20.15, this way I can use my users file and not set the
Cisco priv lvl for those devices that live on the firewall subnets. Thank you for all your help Mike ========= clients.conf============================= #This are for network engineering devices (outside wireless and dialup) # 2/20/06 client 172.16.255.2/29 { secret shortname = devicenet-15 } client 172.16.240.0/20 { secret = shortname = devicenet-16 } client 172.17.240.0/20 { secret = shortname = devicenet-17 } client 172.18.240.0/20 { secret = shortname = devicenet-18 } client 172.19.240.0/20 { secret = shortname = devicenet-19 } client 172.20.240.0/20 { secret = shortname = devicenet-20 } client 172.21.240.0/20 { secret = shortname = devicenet-21 } client 172.22.240.0/20 { secret = shortname = devicenet-22 Huntgroups wireless-prime NAS-IP-Address == xxx.xxx.xxx.xxx wireless-backup NAS-IP-Address == xxx.xxx.xxx.xxx spam1
NAS-IP-Address == xxx.xxx.xxx.xxx spam2
NAS-IP-Address == xxx.xxx.xxx.xxx ciscovpnadmin NAS-IP-Address == xxx.xxx.xxx.xxx dialup8 NAS-IP-Address
== xxx.xxx.xxx.xxx ciscovpnadmin2 NAS-IP-Address == xxx.xxx.xxx.xxx dialup9 NAS-IP-Address
== xxx.xxx.xxx.xxx dialup10 NAS-IP-Address == xxx.xxx.xxx.xxx netautz NAS-Port-Type
== "Virtual" netautz_fw NAS-IP-Address == xxxx netautz_fw1 NAS-IP-Address == xxxxx =================================================== Users file DEFAULT Huntgroup-Name == "netautz", Ldap-Group == ndeg6qr2,
Autz-Type := ldap-vpn, Auth-Type := ldap-vpn Service-Type = 6, Cisco-AVPair = "priv-lvl=15", Fall-Through = Yes DEFAULT Huntgroup-Name == "netautz_fw", Ldap-Group ==
ndeg6qr2, Autz-Type := ldap-vpn, Auth-Type := ldap-vpn Service-Type = 6, Fall-Through = Yes DEFAULT Huntgroup-Name == "netautz_fw1", Ldap-Group ==
ndeg6qr2, Autz-Type := ldap-vpn, Auth-Type := ldap-vpn Service-Type = 6, Fall-Through = Yes # VPN Group Definition note please make additions at the begining of
the stanza not the end DEFAULT Huntgroup-Name == "ciscovpnadmin", Hint
=="NETENG", Ldap-Group == ndbx2jj5, Autz-Type := ldap-vpn, Auth-Type
:= ldap-vpn CVPN3000-IPSec-Banner1 =
"Welcome to VPN group NETENG!", Class =
"OU=neteng;", Fall-Through = No |
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
