RE: restricting users access to clients?
HI, I realize this was a thread from over a month ago, but thought I'd ask anyway. I have my original post, followed by your reply, followed by my new question. First off, my original post: We're using FreeRadius to authenticating our wireless users (who's credentials are stored in LDAP). But we'd also like to use it to authenticate a select few users who need access to our networking gear. Our networking gear is setup to do this, but I'm not sure how to set this up in FreeRadius. I would assume that you'd specify in the clients.conf section which users are allowed access to that device, but in looking at the documentation for clients.conf, that doesn't seem to be the case. And your reply: You would want to use the special username DEFAULT. (Check the man page for users(5).) What I did (although this might be slightly hackish.) is I took a look at the attributes in the request that was being sent by the supplicant. I looked for attributes that were different between the wireless users and the network equipment users. For example, you might want to do something like: admin1 NAS-Port-Type == Virtual, Auth-Type = LDAP admin2 NAS-Port-Type == Virtual, Auth-Type = LDAP # This matches everyone else DEFAULT NAS-Port-Type == Virtual, Auth-Type := Reject # This will match all wireless users DEFAULT NAS-Port-Type == Wireless-802.11, Auth-Type = LDAP Of course, this will mean that your network admins will *only* be able to login via LDAP. You may need to configure some kind of Fall-Through if you want users to authenticate using some other mechanism in addition to LDAP. So this is not without its limitations, but this should give you some ideas to start from. -- John Guthrie [EMAIL PROTECTED] = My question here is, would doing what you mentioned above eliminate the possibility of users other than admin1 or admin2 authenticating to the network via that switch? What we're trying to do is rather odd I guess. On one hand, we want to use the switch as an 802.1x device for regular use. So it has to be able to authenticate at the switch port level via 802.1x. We currently have huntgroups for that and it works. We'd ALSO like to be able to use Radius to authenticate our comms staff when they telnet/login to switches mgmt interfaces. So while I think your suggestion above would work for that part, it would at the same time deny all my 802.1x users because of the Reject statement? I'm a bit confused, so any help is appreciated. Cheers Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: restricting users access to clients?
Matt Ashfield wrote: I guess I was hoping for a link to an example of some sort. Because the user who would be given access is not explicitly defined in the users file (the users is defined in LDAP), I'm not sure how to setup a rule for that person. By putting their username into an entry in the users file? You can have multiple rules for a user, in multiple modules. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: restricting users access to clients?
Matt Ashfield wrote: We're using FreeRadius to authenticating our wireless users (who's credentials are stored in LDAP). But we'd also like to use it to authenticate a select few users who need access to our networking gear. Our networking gear is setup to do this, but I'm not sure how to set this up in FreeRadius. Write rules in the users file. I would assume that you'd specify in the clients.conf section which users are allowed access to that device, but in looking at the documentation for clients.conf, that doesn't seem to be the case. No. The clients.conf file just defines clients. It doesn't do anything more than that. There's no reason code couldn't be written to permit that, though... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: restricting users access to clients?
Ok, the users file it is! Thanks! I guess I was hoping for a link to an example of some sort. Because the user who would be given access is not explicitly defined in the users file (the users is defined in LDAP), I'm not sure how to setup a rule for that person. Thanks again, Cheers Matt [EMAIL PROTECTED] -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: March 14, 2007 3:50 PM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: restricting users access to clients? Matt Ashfield wrote: We're using FreeRadius to authenticating our wireless users (who's credentials are stored in LDAP). But we'd also like to use it to authenticate a select few users who need access to our networking gear. Our networking gear is setup to do this, but I'm not sure how to set this up in FreeRadius. Write rules in the users file. I would assume that you'd specify in the clients.conf section which users are allowed access to that device, but in looking at the documentation for clients.conf, that doesn't seem to be the case. No. The clients.conf file just defines clients. It doesn't do anything more than that. There's no reason code couldn't be written to permit that, though... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: restricting users access to clients?
On Wed, 2007-03-14 at 16:08 -0300, Matt Ashfield wrote: Ok, the users file it is! Thanks! I guess I was hoping for a link to an example of some sort. Because the user who would be given access is not explicitly defined in the users file (the users is defined in LDAP), I'm not sure how to setup a rule for that person. Thanks again, Cheers Matt [EMAIL PROTECTED] You would want to use the special username DEFAULT. (Check the man page for users(5).) What I did (although this might be slightly hackish.) is I took a look at the attributes in the request that was being sent by the supplicant. I looked for attributes that were different between the wireless users and the network equipment users. For example, you might want to do something like: admin1 NAS-Port-Type == Virtual, Auth-Type = LDAP admin2 NAS-Port-Type == Virtual, Auth-Type = LDAP # This matches everyone else DEFAULT NAS-Port-Type == Virtual, Auth-Type := Reject # This will match all wireless users DEFAULT NAS-Port-Type == Wireless-802.11, Auth-Type = LDAP Of course, this will mean that your network admins will *only* be able to login via LDAP. You may need to configure some kind of Fall-Through if you want users to authenticate using some other mechanism in addition to LDAP. So this is not without its limitations, but this should give you some ideas to start from. -- John Guthrie [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
