Re: Is there a simple way to restrict a user in the 'users' file to access only a specific ip addr/device?
Ahh. yes. Ignore my reply. I neglected to read the history and assumed thet you wanted to restrict which network devices certain groups of users should be able to access AFTER they are connected. -Peter On Tue 16 Jan 2007 12:00, Jan Mulders wrote: Hoping to be more helpful here, I know how to implement this functionality in freeradius, but only when using a mysql database backend (which is a good idea for most setups using more than about 20 users). I am assuming you want to control user logins to multiple NASes and this is what you meant by user 'x' can only login to IP addr 'y' and /or 'z'. If you need to just filter traffic based on real network devices, for example where Y and Z are IP addresses on your network, you can safely ignore my first radgroupcheck entry below that restricts NAS choice. If you get a standard mysql setup working, all you need to do is add the user's password to radcheck (for table names username,attribute,op,value you should have bobengineer,User-Password,==,nortel), and add the user to a group in radgroup (username, group = bobengineer,engineers). then you can set group-specific policies by putting entries in radgroupcheck and radgroupreply, such as...: radgroupcheck: [groupname,attribute,op,value] engineers,NAS-IP-Address,==,11.22.33.44(all engineers connecting must do so from NAS with IP addrss 11.22.33.44) engineers, Pool-Name,==,engineers_pool (all engineers connecting will be assigned an IP from the 'engineers' IP pool, which means you can firewall them off using IPTables (or the Shorewall frontend to iptables, which I recommend using) or something similar) Basically this provides you with both tools you will need - the ability to restrict where users can log into, and the ability to restrict what IP address users recieve. You'll need to set up rlm_ippool to automatically assign IPs, and you'll want to make sure your NAS devices send accounting packets (accounting start/stop are important - also if accounting stop's aren't sent, you'll run out of IP addresses). Hope this is a little more helpful than the usually flippent replies on the mailing list, I was in the same boat before too :-) thanks, Jan On 16/01/07, Peter Nixon [EMAIL PROTECTED] wrote: Yep. Its called a firewall... -Peter On Tue 02 Jan 2007 20:39, Ellis, Scott 1 (N-Comptel Inc.) wrote: I am using PAM for auth-type in my users file. Is there a simple way to say that user 'x' can only login to IP addr 'y' and /or 'z'? I have groups of engrs, admins, and operators and need to discriminate who can access which device Scott -Original Message- From: Ellis, Scott 1 (N-Comptel Inc.) Sent: Tuesday, January 02, 2007 11:40 AM To: 'FreeRadius users mailing list' Cc: Ellis, Scott 1 (N-Comptel Inc.) Subject: RE: How to restrict users /PAM to specific NAS devices?? I have looked it over, but I am still not clear. I was thinking that I could use huntgroups to map devices to specific groups, but then I am not clear on how to restrict users ('users' file) to those groups. I know this has probably been done most everywhere in one form or another. Any examples that show the actual entries in the approp. files? Thanks, Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] us .org] On Behalf Of Alan DeKok Sent: Tuesday, January 02, 2007 9:43 AM To: FreeRadius users mailing list Subject: Re: How to restrict users /PAM to specific NAS devices?? Ellis, Scott 1 (N-Comptel Inc.) wrote: I am using PAM for Auth-Type. I want to be able to either 1) restrict the devices the user has access to (admins,operators, etc) by username and/or 2) preferably carve into groups my network gear/NAS devices and then assign users to groups. See man rlm_passwd. It's documentation describes how to create groups like this. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpWeh7g11f05.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is there a simple way to restrict a user in the 'users' file to access only a specific ip addr/device?
Yep. Its called a firewall... -Peter On Tue 02 Jan 2007 20:39, Ellis, Scott 1 (N-Comptel Inc.) wrote: I am using PAM for auth-type in my users file. Is there a simple way to say that user 'x' can only login to IP addr 'y' and /or 'z'? I have groups of engrs, admins, and operators and need to discriminate who can access which device Scott -Original Message- From: Ellis, Scott 1 (N-Comptel Inc.) Sent: Tuesday, January 02, 2007 11:40 AM To: 'FreeRadius users mailing list' Cc: Ellis, Scott 1 (N-Comptel Inc.) Subject: RE: How to restrict users /PAM to specific NAS devices?? I have looked it over, but I am still not clear. I was thinking that I could use huntgroups to map devices to specific groups, but then I am not clear on how to restrict users ('users' file) to those groups. I know this has probably been done most everywhere in one form or another. Any examples that show the actual entries in the approp. files? Thanks, Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] .org] On Behalf Of Alan DeKok Sent: Tuesday, January 02, 2007 9:43 AM To: FreeRadius users mailing list Subject: Re: How to restrict users /PAM to specific NAS devices?? Ellis, Scott 1 (N-Comptel Inc.) wrote: I am using PAM for Auth-Type. I want to be able to either 1) restrict the devices the user has access to (admins,operators, etc) by username and/or 2) preferably carve into groups my network gear/NAS devices and then assign users to groups. See man rlm_passwd. It's documentation describes how to create groups like this. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpIDymn7X3Ol.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is there a simple way to restrict a user in the 'users' file to access only a specific ip addr/device?
Hoping to be more helpful here, I know how to implement this functionality in freeradius, but only when using a mysql database backend (which is a good idea for most setups using more than about 20 users). I am assuming you want to control user logins to multiple NASes and this is what you meant by user 'x' can only login to IP addr 'y' and /or 'z'. If you need to just filter traffic based on real network devices, for example where Y and Z are IP addresses on your network, you can safely ignore my first radgroupcheck entry below that restricts NAS choice. If you get a standard mysql setup working, all you need to do is add the user's password to radcheck (for table names username,attribute,op,value you should have bobengineer,User-Password,==,nortel), and add the user to a group in radgroup (username, group = bobengineer,engineers). then you can set group-specific policies by putting entries in radgroupcheck and radgroupreply, such as...: radgroupcheck: [groupname,attribute,op,value] engineers,NAS-IP-Address,==,11.22.33.44(all engineers connecting must do so from NAS with IP addrss 11.22.33.44) engineers, Pool-Name,==,engineers_pool (all engineers connecting will be assigned an IP from the 'engineers' IP pool, which means you can firewall them off using IPTables (or the Shorewall frontend to iptables, which I recommend using) or something similar) Basically this provides you with both tools you will need - the ability to restrict where users can log into, and the ability to restrict what IP address users recieve. You'll need to set up rlm_ippool to automatically assign IPs, and you'll want to make sure your NAS devices send accounting packets (accounting start/stop are important - also if accounting stop's aren't sent, you'll run out of IP addresses). Hope this is a little more helpful than the usually flippent replies on the mailing list, I was in the same boat before too :-) thanks, Jan On 16/01/07, Peter Nixon [EMAIL PROTECTED] wrote: Yep. Its called a firewall... -Peter On Tue 02 Jan 2007 20:39, Ellis, Scott 1 (N-Comptel Inc.) wrote: I am using PAM for auth-type in my users file. Is there a simple way to say that user 'x' can only login to IP addr 'y' and /or 'z'? I have groups of engrs, admins, and operators and need to discriminate who can access which device Scott -Original Message- From: Ellis, Scott 1 (N-Comptel Inc.) Sent: Tuesday, January 02, 2007 11:40 AM To: 'FreeRadius users mailing list' Cc: Ellis, Scott 1 (N-Comptel Inc.) Subject: RE: How to restrict users /PAM to specific NAS devices?? I have looked it over, but I am still not clear. I was thinking that I could use huntgroups to map devices to specific groups, but then I am not clear on how to restrict users ('users' file) to those groups. I know this has probably been done most everywhere in one form or another. Any examples that show the actual entries in the approp. files? Thanks, Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] .org] On Behalf Of Alan DeKok Sent: Tuesday, January 02, 2007 9:43 AM To: FreeRadius users mailing list Subject: Re: How to restrict users /PAM to specific NAS devices?? Ellis, Scott 1 (N-Comptel Inc.) wrote: I am using PAM for Auth-Type. I want to be able to either 1) restrict the devices the user has access to (admins,operators, etc) by username and/or 2) preferably carve into groups my network gear/NAS devices and then assign users to groups. See man rlm_passwd. It's documentation describes how to create groups like this. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is there a simple way to restrict a user in the 'users' file to access only a specific ip addr/device?
I am using PAM for auth-type in my users file. Is there a simple way to say that user 'x' can only login to IP addr 'y' and /or 'z'? I have groups of engrs, admins, and operators and need to discriminate who can access which device Scott -Original Message- From: Ellis, Scott 1 (N-Comptel Inc.) Sent: Tuesday, January 02, 2007 11:40 AM To: 'FreeRadius users mailing list' Cc: Ellis, Scott 1 (N-Comptel Inc.) Subject: RE: How to restrict users /PAM to specific NAS devices?? I have looked it over, but I am still not clear. I was thinking that I could use huntgroups to map devices to specific groups, but then I am not clear on how to restrict users ('users' file) to those groups. I know this has probably been done most everywhere in one form or another. Any examples that show the actual entries in the approp. files? Thanks, Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] .org] On Behalf Of Alan DeKok Sent: Tuesday, January 02, 2007 9:43 AM To: FreeRadius users mailing list Subject: Re: How to restrict users /PAM to specific NAS devices?? Ellis, Scott 1 (N-Comptel Inc.) wrote: I am using PAM for Auth-Type. I want to be able to either 1) restrict the devices the user has access to (admins,operators, etc) by username and/or 2) preferably carve into groups my network gear/NAS devices and then assign users to groups. See man rlm_passwd. It's documentation describes how to create groups like this. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html