(RADIATOR) RewriteUsername - AuthBy LDAP

Hugh Irvine hugh at open.com.au
Tue Aug 2 21:06:08 CDT 2005 

Hello Scott -

When you enable radius authentication on a network device (NAS) it is  
generally to avoid having to define anything on the NAS at all.

What is uaually done is to return suitable radius reply attributes in  
the access accept that are appropriate for the particular user  
(rewritten usernames are not returned to the NAS except in very  
particular circumstances).

So in your case you would use AddToReply in your AuthBy clause for  
common reply attributes, together with any relevant reply attributes  
defined on a per-user basis. You can use multiple AuthBy clauses if  
required.


<Realm box.somenet.net>
         RewriteUsername s/^([^@]+).*/$1/
         <AuthBy LDAP2>
                 NoDefault
                 Host localhost
                 AuthDN cn=admin, dc=somenet, dc=net
                 AuthPassword <scrubbed>
                 BaseDN dc=somenet, dc=net
                 Version 3
                 UsernameAttr    cn
                 PasswordAttr   passwd
                 ServerChecksPassword
                 Debug 255
                 AddToReply ......
         </AuthBy>
         # Log accounting to a detail file
         AcctLogFileName %D/detail
</Realm>


hope this helps

regards

Hugh


On 3 Aug 2005, at 10:40, Scott Ehnert wrote:

> Hello,
>
> Warning: novice radius user...
>
> What I am trying to accomplish is this:
>
> Any given user tries to connect to a network device by connecting with
> their username, i.e. 'ssh someuser at box.somenet.net'.  The Radius
> server authenticates on user 'someuser', maps that to a pre-defined
> access class, then rewrites 'someuser' to user 'full-access' after the
> LDAP authentication has been completed.  User 'full-access' will be
> defined as a user on the NAS, this way I don't have to define
> individual users on each individual device, I can instead define a
> class with appropriate privileges.
>
> What happens now if I use the RewriteUsername function is that it does
> the rewrite before the LDAP authorization occurs, returning an
> Access-Reject as there is no username.
>
> Is this something that can be accomplished as I have described it?  Is
> there a different/better way?
>
> ----Archive info----
> I found one reference in the archive that may be appropriate...
>
> http://www.open.com.au/archives/radiator/2004-06/msg00170.html
> You may need to remove the first User-Name before adding the second
> one (whether this works on the Cisco remains to be seen).
>
>     StripFromReply User-Name
>     AddToReply User-Name = .....
>
> ----end Archive info----
>
> my basic info follows.  I have the first rewrite to strip the Realm,
> the second rewrite is currently for testing and is not intended to be
> the final syntax.
>
> config file snippet:
>
> <Realm box.somenet.net>
>         RewriteUsername s/^([^@]+).*/$1/
>         <AuthBy LDAP2>
>         NoDefault
>         Host localhost
>         AuthDN cn=admin, dc=somenet, dc=net
>         AuthPassword <scrubbed>
>         BaseDN dc=somenet, dc=net
>         Version 3
>         UsernameAttr    cn
>         PasswordAttr   passwd
>         ServerChecksPassword
>         Debug 255
>         RewriteUsername     s/^.*/radius2/
>         </AuthBy>
>         # Log accounting to a detail file
>         AcctLogFileName %D/detail
> </Realm>
>
> radiusd output snippet:
>
> Tue Aug  2 17:10:55 2005: DEBUG: No entries for radius2 found in  
> LDAP database
> Tue Aug  2 17:10:55 2005: DEBUG: Radius::AuthLDAP2 looks for match  
> with radius2
> Tue Aug  2 17:10:55 2005: INFO: Access rejected for radius2: No  
> such user
> Tue Aug  2 17:10:55 2005: DEBUG: Packet dump:
> *** Sending to 10.255.255.243 port 4491 ....
>
> Packet length = 36
> 03 d8 00 24 b4 04 34 15 54 42 24 21 81 5e 69 53
> ba f9 db 11 12 10 52 65 71 75 65 73 74 20 44 65
> 6e 69 65 64
> Code:       Access-Reject
> Identifier: 216
> Authentic:  Z<255><18><244><1><240>)<16><188><27>$<148><165><5><168>s
> Attributes:
>         Reply-Message = "Request Denied"
>
>
> Thanks for any help,
>
> -=Scott
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list