(RADIATOR) RewriteUsername - AuthBy LDAP
Hugh Irvine
hugh at open.com.au
Tue Aug 2 21:39:03 CDT 2005
Hello Scott -
Even for configuration access, radius is used in the same way as
described in my previous mail.
BTW - if this is for Cisco equipement, Radiator now supports full
TACACS+ operation for authentication, authorisation and accounting.
There is an example in "goodies/tacacsplusserver.cfg".
regards
Hugh
On 3 Aug 2005, at 12:22, Scott Ehnert wrote:
> Hello Hugh,
>
> Thank you for the quick reply. I believe I may have made a mistake by
> using the term NAS. What I am trying to do is establish radius
> authentication for configuration access to routers and switches in my
> network. This is opposed to authenticating PPP dialup users for
> instance. In this case, I believe my query makes more sense?
>
> Regards,
>
> -=Scott
>
> On 8/2/05, Hugh Irvine <hugh at open.com.au> wrote:
>
>>
>> Hello Scott -
>>
>> When you enable radius authentication on a network device (NAS) it is
>> generally to avoid having to define anything on the NAS at all.
>>
>> What is uaually done is to return suitable radius reply attributes in
>> the access accept that are appropriate for the particular user
>> (rewritten usernames are not returned to the NAS except in very
>> particular circumstances).
>>
>> So in your case you would use AddToReply in your AuthBy clause for
>> common reply attributes, together with any relevant reply attributes
>> defined on a per-user basis. You can use multiple AuthBy clauses if
>> required.
>>
>>
>> <Realm box.somenet.net>
>> RewriteUsername s/^([^@]+).*/$1/
>> <AuthBy LDAP2>
>> NoDefault
>> Host localhost
>> AuthDN cn=admin, dc=somenet, dc=net
>> AuthPassword <scrubbed>
>> BaseDN dc=somenet, dc=net
>> Version 3
>> UsernameAttr cn
>> PasswordAttr passwd
>> ServerChecksPassword
>> Debug 255
>> AddToReply ......
>> </AuthBy>
>> # Log accounting to a detail file
>> AcctLogFileName %D/detail
>> </Realm>
>>
>>
>> hope this helps
>>
>> regards
>>
>> Hugh
>>
>>
>> On 3 Aug 2005, at 10:40, Scott Ehnert wrote:
>>
>>
>>> Hello,
>>>
>>> Warning: novice radius user...
>>>
>>> What I am trying to accomplish is this:
>>>
>>> Any given user tries to connect to a network device by connecting
>>> with
>>> their username, i.e. 'ssh someuser at box.somenet.net'. The Radius
>>> server authenticates on user 'someuser', maps that to a pre-defined
>>> access class, then rewrites 'someuser' to user 'full-access'
>>> after the
>>> LDAP authentication has been completed. User 'full-access' will be
>>> defined as a user on the NAS, this way I don't have to define
>>> individual users on each individual device, I can instead define a
>>> class with appropriate privileges.
>>>
>>> What happens now if I use the RewriteUsername function is that it
>>> does
>>> the rewrite before the LDAP authorization occurs, returning an
>>> Access-Reject as there is no username.
>>>
>>> Is this something that can be accomplished as I have described
>>> it? Is
>>> there a different/better way?
>>>
>>> ----Archive info----
>>> I found one reference in the archive that may be appropriate...
>>>
>>> http://www.open.com.au/archives/radiator/2004-06/msg00170.html
>>> You may need to remove the first User-Name before adding the second
>>> one (whether this works on the Cisco remains to be seen).
>>>
>>> StripFromReply User-Name
>>> AddToReply User-Name = .....
>>>
>>> ----end Archive info----
>>>
>>> my basic info follows. I have the first rewrite to strip the Realm,
>>> the second rewrite is currently for testing and is not intended
>>> to be
>>> the final syntax.
>>>
>>> config file snippet:
>>>
>>> <Realm box.somenet.net>
>>> RewriteUsername s/^([^@]+).*/$1/
>>> <AuthBy LDAP2>
>>> NoDefault
>>> Host localhost
>>> AuthDN cn=admin, dc=somenet, dc=net
>>> AuthPassword <scrubbed>
>>> BaseDN dc=somenet, dc=net
>>> Version 3
>>> UsernameAttr cn
>>> PasswordAttr passwd
>>> ServerChecksPassword
>>> Debug 255
>>> RewriteUsername s/^.*/radius2/
>>> </AuthBy>
>>> # Log accounting to a detail file
>>> AcctLogFileName %D/detail
>>> </Realm>
>>>
>>> radiusd output snippet:
>>>
>>> Tue Aug 2 17:10:55 2005: DEBUG: No entries for radius2 found in
>>> LDAP database
>>> Tue Aug 2 17:10:55 2005: DEBUG: Radius::AuthLDAP2 looks for match
>>> with radius2
>>> Tue Aug 2 17:10:55 2005: INFO: Access rejected for radius2: No
>>> such user
>>> Tue Aug 2 17:10:55 2005: DEBUG: Packet dump:
>>> *** Sending to 10.255.255.243 port 4491 ....
>>>
>>> Packet length = 36
>>> 03 d8 00 24 b4 04 34 15 54 42 24 21 81 5e 69 53
>>> ba f9 db 11 12 10 52 65 71 75 65 73 74 20 44 65
>>> 6e 69 65 64
>>> Code: Access-Reject
>>> Identifier: 216
>>> Authentic: Z<255><18><244><1><240>)<16><188><27>
>>> $<148><165><5><168>s
>>> Attributes:
>>> Reply-Message = "Request Denied"
>>>
>>>
>>> Thanks for any help,
>>>
>>> -=Scott
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/
>> radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list