(RADIATOR) RewriteUsername - AuthBy LDAP

Hugh Irvine hugh at open.com.au
Tue Aug 2 21:39:03 CDT 2005 

Hello Scott -

Even for configuration access, radius is used in the same way as  
described in my previous mail.

BTW - if this is for Cisco equipement, Radiator now supports full  
TACACS+ operation for authentication, authorisation and accounting.

There is an example in "goodies/tacacsplusserver.cfg".

regards

Hugh


On 3 Aug 2005, at 12:22, Scott Ehnert wrote:

> Hello Hugh,
>
> Thank you for the quick reply.  I believe I may have made a mistake by
> using the term NAS.  What I am trying to do is establish radius
> authentication for configuration access to routers and switches in my
> network.  This is opposed to authenticating PPP dialup users for
> instance.  In this case, I believe my query makes more sense?
>
> Regards,
>
> -=Scott
>
> On 8/2/05, Hugh Irvine <hugh at open.com.au> wrote:
>
>>
>> Hello Scott -
>>
>> When you enable radius authentication on a network device (NAS) it is
>> generally to avoid having to define anything on the NAS at all.
>>
>> What is uaually done is to return suitable radius reply attributes in
>> the access accept that are appropriate for the particular user
>> (rewritten usernames are not returned to the NAS except in very
>> particular circumstances).
>>
>> So in your case you would use AddToReply in your AuthBy clause for
>> common reply attributes, together with any relevant reply attributes
>> defined on a per-user basis. You can use multiple AuthBy clauses if
>> required.
>>
>>
>> <Realm box.somenet.net>
>>          RewriteUsername s/^([^@]+).*/$1/
>>          <AuthBy LDAP2>
>>                  NoDefault
>>                  Host localhost
>>                  AuthDN cn=admin, dc=somenet, dc=net
>>                  AuthPassword <scrubbed>
>>                  BaseDN dc=somenet, dc=net
>>                  Version 3
>>                  UsernameAttr    cn
>>                  PasswordAttr   passwd
>>                  ServerChecksPassword
>>                  Debug 255
>>                  AddToReply ......
>>          </AuthBy>
>>          # Log accounting to a detail file
>>          AcctLogFileName %D/detail
>> </Realm>
>>
>>
>> hope this helps
>>
>> regards
>>
>> Hugh
>>
>>
>> On 3 Aug 2005, at 10:40, Scott Ehnert wrote:
>>
>>
>>> Hello,
>>>
>>> Warning: novice radius user...
>>>
>>> What I am trying to accomplish is this:
>>>
>>> Any given user tries to connect to a network device by connecting  
>>> with
>>> their username, i.e. 'ssh someuser at box.somenet.net'.  The Radius
>>> server authenticates on user 'someuser', maps that to a pre-defined
>>> access class, then rewrites 'someuser' to user 'full-access'  
>>> after the
>>> LDAP authentication has been completed.  User 'full-access' will be
>>> defined as a user on the NAS, this way I don't have to define
>>> individual users on each individual device, I can instead define a
>>> class with appropriate privileges.
>>>
>>> What happens now if I use the RewriteUsername function is that it  
>>> does
>>> the rewrite before the LDAP authorization occurs, returning an
>>> Access-Reject as there is no username.
>>>
>>> Is this something that can be accomplished as I have described  
>>> it?  Is
>>> there a different/better way?
>>>
>>> ----Archive info----
>>> I found one reference in the archive that may be appropriate...
>>>
>>> http://www.open.com.au/archives/radiator/2004-06/msg00170.html
>>> You may need to remove the first User-Name before adding the second
>>> one (whether this works on the Cisco remains to be seen).
>>>
>>>     StripFromReply User-Name
>>>     AddToReply User-Name = .....
>>>
>>> ----end Archive info----
>>>
>>> my basic info follows.  I have the first rewrite to strip the Realm,
>>> the second rewrite is currently for testing and is not intended  
>>> to be
>>> the final syntax.
>>>
>>> config file snippet:
>>>
>>> <Realm box.somenet.net>
>>>         RewriteUsername s/^([^@]+).*/$1/
>>>         <AuthBy LDAP2>
>>>         NoDefault
>>>         Host localhost
>>>         AuthDN cn=admin, dc=somenet, dc=net
>>>         AuthPassword <scrubbed>
>>>         BaseDN dc=somenet, dc=net
>>>         Version 3
>>>         UsernameAttr    cn
>>>         PasswordAttr   passwd
>>>         ServerChecksPassword
>>>         Debug 255
>>>         RewriteUsername     s/^.*/radius2/
>>>         </AuthBy>
>>>         # Log accounting to a detail file
>>>         AcctLogFileName %D/detail
>>> </Realm>
>>>
>>> radiusd output snippet:
>>>
>>> Tue Aug  2 17:10:55 2005: DEBUG: No entries for radius2 found in
>>> LDAP database
>>> Tue Aug  2 17:10:55 2005: DEBUG: Radius::AuthLDAP2 looks for match
>>> with radius2
>>> Tue Aug  2 17:10:55 2005: INFO: Access rejected for radius2: No
>>> such user
>>> Tue Aug  2 17:10:55 2005: DEBUG: Packet dump:
>>> *** Sending to 10.255.255.243 port 4491 ....
>>>
>>> Packet length = 36
>>> 03 d8 00 24 b4 04 34 15 54 42 24 21 81 5e 69 53
>>> ba f9 db 11 12 10 52 65 71 75 65 73 74 20 44 65
>>> 6e 69 65 64
>>> Code:       Access-Reject
>>> Identifier: 216
>>> Authentic:  Z<255><18><244><1><240>)<16><188><27> 
>>> $<148><165><5><168>s
>>> Attributes:
>>>         Reply-Message = "Request Denied"
>>>
>>>
>>> Thanks for any help,
>>>
>>> -=Scott
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/
>> radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>>
>


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list