Hi, I want to achieve the following using Radiator:
Users connect via VPN to our Cisco ASA using AnyConnect, which authenticates the users via RADIUS. The Handler on Radiator is as follows. Basically, users belong to a group in our AD, let’s say vpn-inband. The client statement of the firewall includes the respective client-identifier to map the request to the handler. --- schnip --- ############################################## ############# Authenticate VPN ############## ############## Cisco ASA VPN ################# ############################################## # InBand VPN <Handler Client-Identifier=network-security-ib> # Require vpn-inband Group AddToRequest ADGroup="CN=vpn-inband,CN=xxx" # Continue Auth until acceptable permission set is found AuthByPolicy ContinueUntilAccept # Try emergency-user before asking AD AuthBy AuthByFile # Try to authenticate against AD AuthBy AuthByAD </Handler> --- schnapp --- AuthBy AD actually just authenticates against AD: --- schnip --- <AuthBy LDAP2> # Define DC to connect to Host oob-ldap-proxy # Identifier to use this AuthBy Clause later Identifier AuthByAD # Administrative user used to perform LDAP queries AuthDN xxxxx AuthPassword xxxx # Where to search for users BaseDN OU=xxx-User,DC=xxx ServerChecksPassword # Add Check for group membership AuthAttrDef memberOf, ADGroup, check # Reply should include the group names for further processing AuthAttrDef memberOf, ADGroups, reply # There will be no default User NoDefault # LDAP attribute to check the UserName on UsernameAttr sAMAccountName AuthAttrDef logonHours,MS-Login-Hours,check </AuthBy> --- schnap --- So far, this is already working. Let’s now say, some of the users have an additional group in AD, say “CN=student,CN=xxx”. In this case, I want to restrict the source-IP they may use to connect to the VPN. The Appliance itself cannot handle this, but the RADIUS request includes the source IP. --- snip --- Attributes: User-Name = "daniel.herrmann" Calling-Station-Id = "10.1.0.10" --- snap --- I want to create this logic: If user has both the inband and student group, he may only connect if the Calling-Station-Id is within a specific range, say 10.10.10/24. If the user is only in the inband group and not within the student group, he may connect from everywhere. What would be the easiest way to build this in Radiator? Thanks and best regards Daniel -- Daniel Herrmann Network Architect – Fraunhofer Private Cloud CCIE #55056 (Routing and Switching) Cisco CCDP, CCIP; Fluke CCTT Fraunhoferstraße 5, 64283 Darmstadt Mail: daniel.herrm...@zv.fraunhofer.de
_______________________________________________ radiator mailing list radiator@lists.open.com.au http://lists.open.com.au/mailman/listinfo/radiator