subject:"Is there a simple way to restrict a user in the 'users' file to access only a specific ip addr\/device\?"

Re: Is there a simple way to restrict a user in the 'users' file to access only a specific ip addr/device?

2007-01-17 Thread Peter Nixon

Ahh. yes. Ignore my reply. I neglected to read the history and assumed thet 
you wanted to restrict which network devices certain groups of users should 
be able to access AFTER they are connected.

-Peter

On Tue 16 Jan 2007 12:00, Jan Mulders wrote:
 Hoping to be more helpful here, I know how to implement this functionality
 in freeradius, but only when using a mysql database backend (which is a
 good idea for most setups using more than about 20 users).

 I am assuming you want to control user logins to multiple NASes and this
 is what you meant by user 'x' can only login to IP addr 'y' and /or 'z'.
 If you need to just filter traffic based on real network devices, for
 example where Y and Z are IP addresses on your network, you can safely
 ignore my first radgroupcheck entry below that restricts NAS choice.
 If you get a standard mysql setup working, all you need to do is add the
 user's password to radcheck (for table names username,attribute,op,value
 you should have bobengineer,User-Password,==,nortel), and add the user
 to a group in radgroup (username, group = bobengineer,engineers). then you
 can set group-specific policies by putting entries in radgroupcheck and
 radgroupreply, such as...:

 radgroupcheck: [groupname,attribute,op,value]
 engineers,NAS-IP-Address,==,11.22.33.44(all engineers connecting must
 do so from NAS with IP addrss 11.22.33.44)
 engineers, Pool-Name,==,engineers_pool   (all engineers connecting will be
 assigned an IP from the 'engineers' IP pool, which means you can firewall
 them off using IPTables (or the Shorewall frontend to iptables, which I
 recommend using) or something similar)

 Basically this provides you with both tools you will need - the ability to
 restrict where users can log into, and the ability to restrict what IP
 address users recieve. You'll need to set up rlm_ippool to automatically
 assign IPs, and you'll want to make sure your NAS devices send accounting
 packets (accounting start/stop are important - also if accounting stop's
 aren't sent, you'll run out of IP addresses).

 Hope this is a little more helpful than the usually flippent replies on
 the mailing list, I was in the same boat before too :-)

 thanks,

 Jan

 On 16/01/07, Peter Nixon [EMAIL PROTECTED] wrote:
  Yep. Its called a firewall...
 
  -Peter
 
  On Tue 02 Jan 2007 20:39, Ellis, Scott 1 (N-Comptel Inc.) wrote:
I am using PAM for auth-type in my users file. Is there a simple way
   to say that user 'x' can only login to IP addr 'y' and /or 'z'? I have
   groups of engrs, admins, and operators and need to discriminate who
   can access which device
  
   Scott
  
   -Original Message-
   From: Ellis, Scott 1 (N-Comptel Inc.)
   Sent: Tuesday, January 02, 2007 11:40 AM
   To: 'FreeRadius users mailing list'
   Cc: Ellis, Scott 1 (N-Comptel Inc.)
   Subject: RE: How to restrict users /PAM to specific NAS devices??
  
   I have looked it over, but I am still not clear. I was thinking that I
   could use huntgroups to map devices to specific groups, but then I am
   not clear on how to restrict users ('users' file) to those groups. I
   know this has probably been done most everywhere in one form or
   another. Any examples that show the actual entries in the approp.
   files?
  
   Thanks,
   Scott
  
   -Original Message-
   From:
   [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED]
  us .org] On Behalf Of Alan DeKok
   Sent: Tuesday, January 02, 2007 9:43 AM
   To: FreeRadius users mailing list
   Subject: Re: How to restrict users /PAM to specific NAS devices??
  
   Ellis, Scott 1 (N-Comptel Inc.) wrote:
I am using PAM for Auth-Type.
I want to be able to either 1) restrict the devices the user has
access to (admins,operators, etc) by username and/or 2) preferably
carve into groups my network gear/NAS devices and then assign users
to
  
   groups.
  
See man rlm_passwd.  It's documentation describes how to create
   groups like this.
  
 Alan DeKok.
   --
 http://deployingradius.com   - The web site of the book
 http://deployingradius.com/blog/ - The blog
   -
   List info/subscribe/unsubscribe? See
   http://www.freeradius.org/list/users.html
   -
   List info/subscribe/unsubscribe? See
   http://www.freeradius.org/list/users.html
 
  --
 
  Peter Nixon
  http://www.peternixon.net/
  PGP Key: http://www.peternixon.net/public.asc
 
 
  -
  List info/subscribe/unsubscribe? See
  http://www.freeradius.org/list/users.html

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc


pgpWeh7g11f05.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Is there a simple way to restrict a user in the 'users' file to access only a specific ip addr/device?

2007-01-16 Thread Peter Nixon

Yep. Its called a firewall...

-Peter

On Tue 02 Jan 2007 20:39, Ellis, Scott 1 (N-Comptel Inc.) wrote:
  I am using PAM for auth-type in my users file. Is there a simple way to
 say that user 'x' can only login to IP addr 'y' and /or 'z'? I have
 groups of engrs, admins, and operators and need to discriminate who can
 access which device

 Scott

 -Original Message-
 From: Ellis, Scott 1 (N-Comptel Inc.)
 Sent: Tuesday, January 02, 2007 11:40 AM
 To: 'FreeRadius users mailing list'
 Cc: Ellis, Scott 1 (N-Comptel Inc.)
 Subject: RE: How to restrict users /PAM to specific NAS devices??

 I have looked it over, but I am still not clear. I was thinking that I
 could use huntgroups to map devices to specific groups, but then I am
 not clear on how to restrict users ('users' file) to those groups. I
 know this has probably been done most everywhere in one form or another.
 Any examples that show the actual entries in the approp. files?

 Thanks,
 Scott

 -Original Message-
 From:
 [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]
 .org] On Behalf Of Alan DeKok
 Sent: Tuesday, January 02, 2007 9:43 AM
 To: FreeRadius users mailing list
 Subject: Re: How to restrict users /PAM to specific NAS devices??

 Ellis, Scott 1 (N-Comptel Inc.) wrote:
  I am using PAM for Auth-Type.
  I want to be able to either 1) restrict the devices the user has
  access to (admins,operators, etc) by username and/or 2) preferably
  carve into groups my network gear/NAS devices and then assign users to

 groups.

  See man rlm_passwd.  It's documentation describes how to create
 groups like this.

   Alan DeKok.
 --
   http://deployingradius.com   - The web site of the book
   http://deployingradius.com/blog/ - The blog
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc


pgpIDymn7X3Ol.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Is there a simple way to restrict a user in the 'users' file to access only a specific ip addr/device?

2007-01-16 Thread Jan Mulders


Hoping to be more helpful here, I know how to implement this functionality
in freeradius, but only when using a mysql database backend (which is a good
idea for most setups using more than about 20 users).

I am assuming you want to control user logins to multiple NASes and this is
what you meant by user 'x' can only login to IP addr 'y' and /or 'z'. If
you need to just filter traffic based on real network devices, for example
where Y and Z are IP addresses on your network, you can safely ignore my
first radgroupcheck entry below that restricts NAS choice.
If you get a standard mysql setup working, all you need to do is add the
user's password to radcheck (for table names username,attribute,op,value
you should have bobengineer,User-Password,==,nortel), and add the user to
a group in radgroup (username, group = bobengineer,engineers). then you can
set group-specific policies by putting entries in radgroupcheck and
radgroupreply, such as...:

radgroupcheck: [groupname,attribute,op,value]
engineers,NAS-IP-Address,==,11.22.33.44(all engineers connecting must do
so from NAS with IP addrss 11.22.33.44)
engineers, Pool-Name,==,engineers_pool   (all engineers connecting will be
assigned an IP from the 'engineers' IP pool, which means you can firewall
them off using IPTables (or the Shorewall frontend to iptables, which I
recommend using) or something similar)

Basically this provides you with both tools you will need - the ability to
restrict where users can log into, and the ability to restrict what IP
address users recieve. You'll need to set up rlm_ippool to automatically
assign IPs, and you'll want to make sure your NAS devices send accounting
packets (accounting start/stop are important - also if accounting stop's
aren't sent, you'll run out of IP addresses).

Hope this is a little more helpful than the usually flippent replies on the
mailing list, I was in the same boat before too :-)

thanks,

Jan


On 16/01/07, Peter Nixon [EMAIL PROTECTED] wrote:


Yep. Its called a firewall...

-Peter

On Tue 02 Jan 2007 20:39, Ellis, Scott 1 (N-Comptel Inc.) wrote:
  I am using PAM for auth-type in my users file. Is there a simple way to
 say that user 'x' can only login to IP addr 'y' and /or 'z'? I have
 groups of engrs, admins, and operators and need to discriminate who can
 access which device

 Scott

 -Original Message-
 From: Ellis, Scott 1 (N-Comptel Inc.)
 Sent: Tuesday, January 02, 2007 11:40 AM
 To: 'FreeRadius users mailing list'
 Cc: Ellis, Scott 1 (N-Comptel Inc.)
 Subject: RE: How to restrict users /PAM to specific NAS devices??

 I have looked it over, but I am still not clear. I was thinking that I
 could use huntgroups to map devices to specific groups, but then I am
 not clear on how to restrict users ('users' file) to those groups. I
 know this has probably been done most everywhere in one form or another.
 Any examples that show the actual entries in the approp. files?

 Thanks,
 Scott

 -Original Message-
 From:
 [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]
 .org] On Behalf Of Alan DeKok
 Sent: Tuesday, January 02, 2007 9:43 AM
 To: FreeRadius users mailing list
 Subject: Re: How to restrict users /PAM to specific NAS devices??

 Ellis, Scott 1 (N-Comptel Inc.) wrote:
  I am using PAM for Auth-Type.
  I want to be able to either 1) restrict the devices the user has
  access to (admins,operators, etc) by username and/or 2) preferably
  carve into groups my network gear/NAS devices and then assign users to

 groups.

  See man rlm_passwd.  It's documentation describes how to create
 groups like this.

   Alan DeKok.
 --
   http://deployingradius.com   - The web site of the book
   http://deployingradius.com/blog/ - The blog
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

--

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Is there a simple way to restrict a user in the 'users' file to access only a specific ip addr/device?

2007-01-02 Thread Ellis, Scott 1 (N-Comptel Inc.)

 I am using PAM for auth-type in my users file. Is there a simple way to
say that user 'x' can only login to IP addr 'y' and /or 'z'? I have
groups of engrs, admins, and operators and need to discriminate who can
access which device

Scott

-Original Message-
From: Ellis, Scott 1 (N-Comptel Inc.) 
Sent: Tuesday, January 02, 2007 11:40 AM
To: 'FreeRadius users mailing list'
Cc: Ellis, Scott 1 (N-Comptel Inc.)
Subject: RE: How to restrict users /PAM to specific NAS devices??

I have looked it over, but I am still not clear. I was thinking that I
could use huntgroups to map devices to specific groups, but then I am
not clear on how to restrict users ('users' file) to those groups. I
know this has probably been done most everywhere in one form or another.
Any examples that show the actual entries in the approp. files?

Thanks,
Scott 

-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
.org] On Behalf Of Alan DeKok
Sent: Tuesday, January 02, 2007 9:43 AM
To: FreeRadius users mailing list
Subject: Re: How to restrict users /PAM to specific NAS devices??

Ellis, Scott 1 (N-Comptel Inc.) wrote:
 I am using PAM for Auth-Type.
 I want to be able to either 1) restrict the devices the user has 
 access to (admins,operators, etc) by username and/or 2) preferably 
 carve into groups my network gear/NAS devices and then assign users to
groups.

 See man rlm_passwd.  It's documentation describes how to create
groups like this.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Is there a simple way to restrict a user in the 'users' file to access only a specific ip addr/device?

Re: Is there a simple way to restrict a user in the 'users' file to access only a specific ip addr/device?

Re: Is there a simple way to restrict a user in the 'users' file to access only a specific ip addr/device?

Is there a simple way to restrict a user in the 'users' file to access only a specific ip addr/device?

4 matches

Site Navigation

Mail list logo

Footer information