(RADIATOR) RewriteUsername - AuthBy LDAP

Scott Ehnert scott.ehnert at gmail.com
Tue Aug 2 21:51:08 CDT 2005 

Thanks for the clarification and patience.  Unfortunately (or
fortunately depending on your perspective), I am using several types
of gear, none of which are Cisco.  Radius is the only option supported
by all the various platforms for authentication.

Regards,

-=Scott

On 8/2/05, Hugh Irvine <hugh at open.com.au> wrote:
> 
> Hello Scott -
> 
> Even for configuration access, radius is used in the same way as
> described in my previous mail.
> 
> BTW - if this is for Cisco equipement, Radiator now supports full
> TACACS+ operation for authentication, authorisation and accounting.
> 
> There is an example in "goodies/tacacsplusserver.cfg".
> 
> regards
> 
> Hugh
> 
> 
> On 3 Aug 2005, at 12:22, Scott Ehnert wrote:
> 
> > Hello Hugh,
> >
> > Thank you for the quick reply.  I believe I may have made a mistake by
> > using the term NAS.  What I am trying to do is establish radius
> > authentication for configuration access to routers and switches in my
> > network.  This is opposed to authenticating PPP dialup users for
> > instance.  In this case, I believe my query makes more sense?
> >
> > Regards,
> >
> > -=Scott
> >
> > On 8/2/05, Hugh Irvine <hugh at open.com.au> wrote:
> >
> >>
> >> Hello Scott -
> >>
> >> When you enable radius authentication on a network device (NAS) it is
> >> generally to avoid having to define anything on the NAS at all.
> >>
> >> What is uaually done is to return suitable radius reply attributes in
> >> the access accept that are appropriate for the particular user
> >> (rewritten usernames are not returned to the NAS except in very
> >> particular circumstances).
> >>
> >> So in your case you would use AddToReply in your AuthBy clause for
> >> common reply attributes, together with any relevant reply attributes
> >> defined on a per-user basis. You can use multiple AuthBy clauses if
> >> required.
> >>
> >>
> >> <Realm box.somenet.net>
> >>          RewriteUsername s/^([^@]+).*/$1/
> >>          <AuthBy LDAP2>
> >>                  NoDefault
> >>                  Host localhost
> >>                  AuthDN cn=admin, dc=somenet, dc=net
> >>                  AuthPassword <scrubbed>
> >>                  BaseDN dc=somenet, dc=net
> >>                  Version 3
> >>                  UsernameAttr    cn
> >>                  PasswordAttr   passwd
> >>                  ServerChecksPassword
> >>                  Debug 255
> >>                  AddToReply ......
> >>          </AuthBy>
> >>          # Log accounting to a detail file
> >>          AcctLogFileName %D/detail
> >> </Realm>
> >>
> >>
> >> hope this helps
> >>
> >> regards
> >>
> >> Hugh
> >>
> >>
> >> On 3 Aug 2005, at 10:40, Scott Ehnert wrote:
> >>
> >>
> >>> Hello,
> >>>
> >>> Warning: novice radius user...
> >>>
> >>> What I am trying to accomplish is this:
> >>>
> >>> Any given user tries to connect to a network device by connecting
> >>> with
> >>> their username, i.e. 'ssh someuser at box.somenet.net'.  The Radius
> >>> server authenticates on user 'someuser', maps that to a pre-defined
> >>> access class, then rewrites 'someuser' to user 'full-access'
> >>> after the
> >>> LDAP authentication has been completed.  User 'full-access' will be
> >>> defined as a user on the NAS, this way I don't have to define
> >>> individual users on each individual device, I can instead define a
> >>> class with appropriate privileges.
> >>>
> >>> What happens now if I use the RewriteUsername function is that it
> >>> does
> >>> the rewrite before the LDAP authorization occurs, returning an
> >>> Access-Reject as there is no username.
> >>>
> >>> Is this something that can be accomplished as I have described
> >>> it?  Is
> >>> there a different/better way?
> >>>
> >>> ----Archive info----
> >>> I found one reference in the archive that may be appropriate...
> >>>
> >>> http://www.open.com.au/archives/radiator/2004-06/msg00170.html
> >>> You may need to remove the first User-Name before adding the second
> >>> one (whether this works on the Cisco remains to be seen).
> >>>
> >>>     StripFromReply User-Name
> >>>     AddToReply User-Name = .....
> >>>
> >>> ----end Archive info----
> >>>
> >>> my basic info follows.  I have the first rewrite to strip the Realm,
> >>> the second rewrite is currently for testing and is not intended
> >>> to be
> >>> the final syntax.
> >>>
> >>> config file snippet:
> >>>
> >>> <Realm box.somenet.net>
> >>>         RewriteUsername s/^([^@]+).*/$1/
> >>>         <AuthBy LDAP2>
> >>>         NoDefault
> >>>         Host localhost
> >>>         AuthDN cn=admin, dc=somenet, dc=net
> >>>         AuthPassword <scrubbed>
> >>>         BaseDN dc=somenet, dc=net
> >>>         Version 3
> >>>         UsernameAttr    cn
> >>>         PasswordAttr   passwd
> >>>         ServerChecksPassword
> >>>         Debug 255
> >>>         RewriteUsername     s/^.*/radius2/
> >>>         </AuthBy>
> >>>         # Log accounting to a detail file
> >>>         AcctLogFileName %D/detail
> >>> </Realm>
> >>>
> >>> radiusd output snippet:
> >>>
> >>> Tue Aug  2 17:10:55 2005: DEBUG: No entries for radius2 found in
> >>> LDAP database
> >>> Tue Aug  2 17:10:55 2005: DEBUG: Radius::AuthLDAP2 looks for match
> >>> with radius2
> >>> Tue Aug  2 17:10:55 2005: INFO: Access rejected for radius2: No
> >>> such user
> >>> Tue Aug  2 17:10:55 2005: DEBUG: Packet dump:
> >>> *** Sending to 10.255.255.243 port 4491 ....
> >>>
> >>> Packet length = 36
> >>> 03 d8 00 24 b4 04 34 15 54 42 24 21 81 5e 69 53
> >>> ba f9 db 11 12 10 52 65 71 75 65 73 74 20 44 65
> >>> 6e 69 65 64
> >>> Code:       Access-Reject
> >>> Identifier: 216
> >>> Authentic:  Z<255><18><244><1><240>)<16><188><27>
> >>> $<148><165><5><168>s
> >>> Attributes:
> >>>         Reply-Message = "Request Denied"
> >>>
> >>>
> >>> Thanks for any help,
> >>>
> >>> -=Scott
> >>>
> >>> --
> >>> Archive at http://www.open.com.au/archives/radiator/
> >>> Announcements on radiator-announce at open.com.au
> >>> To unsubscribe, email 'majordomo at open.com.au' with
> >>> 'unsubscribe radiator' in the body of the message.
> >>>
> >>>
> >>
> >>
> >> NB:
> >>
> >> Have you read the reference manual ("doc/ref.html")?
> >> Have you searched the mailing list archive (www.open.com.au/archives/
> >> radiator)?
> >> Have you had a quick look on Google (www.google.com)?
> >> Have you included a copy of your configuration file (no secrets),
> >> together with a trace 4 debug showing what is happening?
> >>
> >> --
> >> Radiator: the most portable, flexible and configurable RADIUS server
> >> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> >> -
> >> Nets: internetwork inventory and management - graphical, extensible,
> >> flexible with hardware, software, platform and database independence.
> >> -
> >> CATool: Private Certificate Authority for Unix and Unix-like systems.
> >>
> >>
> >>
> >
> 
> 
> NB:
> 
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> 
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
> 
> 
>

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list