Hello all :)
So after getting my testing box current with FR 2.1.5 I have my config 97%
there, but I am having a interesting situation occur that I am hoping is fairly
straight forward.
Overview of config.
User accounts authenticated against Kerberos KDC (Working 100%)
User Account Attributes held in LDAP, LM Hash for PEAP, Blacklist (if you are
in there you are denied) (working 100%) I cannot inject values into LDAP,
would like to but cannot...
So all that is left is a little authorization work.
In my passwd module I have the following. (made sense to have the group name
appear as if it came from the authenticator... hence the ~)
passwd noc_group {
filename = /usr/local/etc/raddb/group
format = "~Group-Name:*,User-Name"
hashsize = 50
ignorenislike = yes
allowmultiplekeys = yes
delimiter = ":"
}
the "Group" file is formatted
NOC:Usernamea,Usernameb etc
Here is where I get a touch lost. The noc_group section appears to be working,
when I look at the debug output it is properly finding the usernames in the
list and reports
[noc_group] Added Group-Name: 'NOC' to request_items
++[noc_group] returns ok
Now where to go from here... Let me start by where I would like to go... I
would like to have a block of vendor specific radius attributes sent back in
the access accept (assuming they passed authentication...) This way when folks
log into network devices they are granted the correct level of access (like
with our switches... Some people are granted read only access to verify certain
aspects, and admins who get read write, so while I am starting with the admin
group there will be other groups with different vendor specific attr's I would
like to have sent for them.) I am assuming unlang will be the way to go
however when I attempt to utilize this method I fail (Radius will not start as
currently I am simply trying to append a Reply message when NOC-Group scores a
hit.
I have tried this in the post-auth section within default in sites-enabled.
if (%{request:Group-Name} == "NOC") {
Reply-Message = 'Noc-Group Match'
}
I receive "Unknown action 'NOC-Group Match' and radius does not load. (Error
Initializing Modules)
So where should I be placing the unlang code and what parameters does it
understand and can pass to and from the daemon.
Thank you
Larry
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
