Re: [RADIATOR] Checking if attribute is within an IP subnet

Thu, 02 Mar 2017 22:46:50 -0800 

Hello Daniel -

I don’t know enough about your exact setup, but you should be able to do 
something like this:


# InBand VPN
<Handler Client-Identifier=network-security-ib>
        # Require vpn-inband Group
        AddToRequest ADGroup="CN=vpn-inband,CN=xxx"
 
        # Continue Auth until acceptable permission set is found
        AuthByPolicy            ContinueUntilAccept
 
        # Try emergency-user before asking AD
        AuthBy AuthByFile
 
        # AuthBy GROUP to change AuthByPolicy

        <AuthBy GROUP>

                AuthByPolicy ContinueWhileAccept

                # Try to authenticate against AD
                AuthBy AuthByAD

                # AuthBy INTERNAL RequestHook to accept or reject 
                # depending on what is added to the reply by the previous 
PostSearchHook
                # ie. a ReplyMessage that says to reject for example

                <AuthBy INTERNAL>
                        RequestHook …..
                </AuthBy>

        </AuthBy>

</Handler>


There are a number of example hooks in the Radiator distribution in 
“goodies/hooks.txt”.

regards

Hugh

> On 2 Mar 2017, at 23:33, [email protected] wrote:
> 
> Hello Hugh,
> 
>> On 02.03.17, 05:24 "Hugh Irvine" [email protected] wrote:
>> Probably the simplest way to do this is with a PostSearchHook.
> 
> maybe I understood you wrong, but I am not sure how this will help. I could 
> do the IP address check in the hook, If I understood correctly, the RADIUS 
> request will be passed to the hook. Two questions however remain:
> 
> In summary, the overall logic should look like this:
> 
> User is authenticated against local fallback user store
>     Permit
> User is member of VPN AD group and student AD group:
>     If source-ip in range
>             Permit
>     else
>             Deny
>     endif
> User is member of OOB VPN group:
>      Permit
> Else
>      Deny
> 
> Two questions:
> 
> - I understand that the “if source-ip”… part can be done in the Post Search 
> Hook. How would I return a value such that the request will be denied?
> - How can I check if a user is member of two groups and only then check the 
> IP address?
> 
> Thanks again and best regards
> Daniel
> 


--

Hugh Irvine
[email protected]

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

_______________________________________________
radiator mailing list
[email protected]
http://lists.open.com.au/mailman/listinfo/radiator

Reply via email to