(RADIATOR) RewriteUsername - AuthBy LDAP

Scott Ehnert scott.ehnert at gmail.com
Tue Aug 2 21:22:43 CDT 2005 

Hello Hugh,

Thank you for the quick reply.  I believe I may have made a mistake by
using the term NAS.  What I am trying to do is establish radius
authentication for configuration access to routers and switches in my
network.  This is opposed to authenticating PPP dialup users for
instance.  In this case, I believe my query makes more sense?

Regards,

-=Scott

On 8/2/05, Hugh Irvine <hugh at open.com.au> wrote:
> 
> Hello Scott -
> 
> When you enable radius authentication on a network device (NAS) it is
> generally to avoid having to define anything on the NAS at all.
> 
> What is uaually done is to return suitable radius reply attributes in
> the access accept that are appropriate for the particular user
> (rewritten usernames are not returned to the NAS except in very
> particular circumstances).
> 
> So in your case you would use AddToReply in your AuthBy clause for
> common reply attributes, together with any relevant reply attributes
> defined on a per-user basis. You can use multiple AuthBy clauses if
> required.
> 
> 
> <Realm box.somenet.net>
>          RewriteUsername s/^([^@]+).*/$1/
>          <AuthBy LDAP2>
>                  NoDefault
>                  Host localhost
>                  AuthDN cn=admin, dc=somenet, dc=net
>                  AuthPassword <scrubbed>
>                  BaseDN dc=somenet, dc=net
>                  Version 3
>                  UsernameAttr    cn
>                  PasswordAttr   passwd
>                  ServerChecksPassword
>                  Debug 255
>                  AddToReply ......
>          </AuthBy>
>          # Log accounting to a detail file
>          AcctLogFileName %D/detail
> </Realm>
> 
> 
> hope this helps
> 
> regards
> 
> Hugh
> 
> 
> On 3 Aug 2005, at 10:40, Scott Ehnert wrote:
> 
> > Hello,
> >
> > Warning: novice radius user...
> >
> > What I am trying to accomplish is this:
> >
> > Any given user tries to connect to a network device by connecting with
> > their username, i.e. 'ssh someuser at box.somenet.net'.  The Radius
> > server authenticates on user 'someuser', maps that to a pre-defined
> > access class, then rewrites 'someuser' to user 'full-access' after the
> > LDAP authentication has been completed.  User 'full-access' will be
> > defined as a user on the NAS, this way I don't have to define
> > individual users on each individual device, I can instead define a
> > class with appropriate privileges.
> >
> > What happens now if I use the RewriteUsername function is that it does
> > the rewrite before the LDAP authorization occurs, returning an
> > Access-Reject as there is no username.
> >
> > Is this something that can be accomplished as I have described it?  Is
> > there a different/better way?
> >
> > ----Archive info----
> > I found one reference in the archive that may be appropriate...
> >
> > http://www.open.com.au/archives/radiator/2004-06/msg00170.html
> > You may need to remove the first User-Name before adding the second
> > one (whether this works on the Cisco remains to be seen).
> >
> >     StripFromReply User-Name
> >     AddToReply User-Name = .....
> >
> > ----end Archive info----
> >
> > my basic info follows.  I have the first rewrite to strip the Realm,
> > the second rewrite is currently for testing and is not intended to be
> > the final syntax.
> >
> > config file snippet:
> >
> > <Realm box.somenet.net>
> >         RewriteUsername s/^([^@]+).*/$1/
> >         <AuthBy LDAP2>
> >         NoDefault
> >         Host localhost
> >         AuthDN cn=admin, dc=somenet, dc=net
> >         AuthPassword <scrubbed>
> >         BaseDN dc=somenet, dc=net
> >         Version 3
> >         UsernameAttr    cn
> >         PasswordAttr   passwd
> >         ServerChecksPassword
> >         Debug 255
> >         RewriteUsername     s/^.*/radius2/
> >         </AuthBy>
> >         # Log accounting to a detail file
> >         AcctLogFileName %D/detail
> > </Realm>
> >
> > radiusd output snippet:
> >
> > Tue Aug  2 17:10:55 2005: DEBUG: No entries for radius2 found in
> > LDAP database
> > Tue Aug  2 17:10:55 2005: DEBUG: Radius::AuthLDAP2 looks for match
> > with radius2
> > Tue Aug  2 17:10:55 2005: INFO: Access rejected for radius2: No
> > such user
> > Tue Aug  2 17:10:55 2005: DEBUG: Packet dump:
> > *** Sending to 10.255.255.243 port 4491 ....
> >
> > Packet length = 36
> > 03 d8 00 24 b4 04 34 15 54 42 24 21 81 5e 69 53
> > ba f9 db 11 12 10 52 65 71 75 65 73 74 20 44 65
> > 6e 69 65 64
> > Code:       Access-Reject
> > Identifier: 216
> > Authentic:  Z<255><18><244><1><240>)<16><188><27>$<148><165><5><168>s
> > Attributes:
> >         Reply-Message = "Request Denied"
> >
> >
> > Thanks for any help,
> >
> > -=Scott
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> >
> 
> 
> NB:
> 
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> 
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
> 
> 
>

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list