(RADIATOR) Wanting to give certain users a static IP on a Cisco VPN
Hugh Irvine
hugh at open.com.au
Wed Mar 19 16:21:57 CST 2003
Hello Troy -
You can use cascaded AuthBy clauses for this.
------------------------------------------------------
<Client DEFAULT>
Secret xxxxxxxxx
DupInterval 0
</Client>
<AuthBy GROUP>
Identifier vpn
<AuthBy GROUP>
AuthByPolicy ContinueUntilReject
<AuthBy NCSU>
</AuthBy>
<AuthBy GROUP>
Identifier vpn_groups
AuthByPolicy ContinueWhileReject
#foo user
<AuthBy HesiodGroup>
HesiodAllow foo
HesiodDeny disable
AddToReply Class="OU=foo;"
</AuthBy>
#bar users
<AuthBy HesiodGroup>
HesiodAllow bar
HesiodDeny disable
StripFromReply Class
AddToReply Class="OU=bar;"
</AuthBy>
#dog user
<AuthBy HesiodGroup>
HesiodAllow dog
HesiodDeny disable
StripFromReply Class
AddToReply Class="OU=dog;"
</AuthBy>
#cat users
<AuthBy HesiodGroup>
HesiodAllow cat
HesiodDeny disable
StripFromReply Class
AddToReply Class="OU=cat;"
</AuthBy>
</AuthBy>
</AuthBy>
</AuthBy>
<AuthBy FILE>
Identifier vpn.users
Filename %D/vpn.users
</AuthBy>
<Handler NAS-IP-Address=vpn-address>
RewriteUsername s/^([^@]+).*/$1/
RewriteUsername tr/A-Za-z0-9//cd
AuthBy vpn.users
AcctLogFileName /radius-dir/vpn
</Handler>
Then the file "vpn.users" would contain this:
# vpn.users
DEFAULT Auth-Type = vpn
userA Auth-Type = vpn
Framed-IP-Address = a.a.a.a
userB Auth-Type = vpn
Framed-IP-Address = b.b.b.b
.......
regards
Hugh
On Thursday, Mar 20, 2003, at 08:45 Australia/Melbourne, Troy Holder
wrote:
> We are setting up our VPN so that everyone will use a default group
> when
> connecting to the concentrator. I then have my radius server set up to
> check their password with kerberos (via AuthBy NCSU) and then check
> their classification via Hesiod ( via AuthBy hesiod) to see what group
> to put them in on the vpn.
> We want to allow certain users to have a static IP address (user a gets
> IP a where user b gets IP b). I know that I can use the following to
> set
> a users IP address:
> AddToReply Framed-IP-Address = a.b.c.d
> What I have not figured out is a scalable way to do this with multiple
> users. I know I can add a handler for every user and add the AddToReply
> line there, but I may have a few dozen down the road and do not want my
> config to grow so much. I would like to either put the users and IPs in
> a db or in a flat file.
> The part of my config that is used by the VPN concentrator is below.
> Does anyone have a suggestion?
>
>
> ------------------------------------------------------
> <Client DEFAULT>
> Secret xxxxxxxxx
> DupInterval 0
> </Client>
>
> <AuthBy GROUP>
> Identifier vpn
> <AuthBy GROUP>
> AuthByPolicy ContinueUntilReject
>
> <AuthBy NCSU>
> </AuthBy>
>
> <AuthBy GROUP>
> Identifier vpn_groups
> AuthByPolicy ContinueWhileReject
> #foo user
> <AuthBy HesiodGroup>
> HesiodAllow foo
> HesiodDeny disable
> AddToReply Class="OU=foo;"
> </AuthBy>
> #bar users
> <AuthBy HesiodGroup>
> HesiodAllow bar
> HesiodDeny disable
> StripFromReply Class
> AddToReply Class="OU=bar;"
> </AuthBy>
> #dog user
> <AuthBy HesiodGroup>
> HesiodAllow dog
> HesiodDeny disable
> StripFromReply Class
> AddToReply Class="OU=dog;"
> </AuthBy>
> #cat users
> <AuthBy HesiodGroup>
> HesiodAllow cat
> HesiodDeny disable
> StripFromReply Class
> AddToReply Class="OU=cat;"
> </AuthBy>
> </AuthBy>
> </AuthBy>
> </AuthBy>
>
> <Handler NAS-IP-Address=vpn-address>
> RewriteUsername s/^([^@]+).*/$1/
> RewriteUsername tr/A-Za-z0-9//cd
> AuthBy vpn
> AcctLogFileName /radius-dir/vpn
> </Handler>
>
>
>
> --
> -----------------------------------
> | Troy Holder troy at ncstate.net |
> | Senior Network Engineer |
> | Communication Technologies |
> | North Carolina State University |
> -----------------------------------
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list