(RADIATOR) RewriteUsername - AuthBy LDAP
Hugh Irvine
hugh at open.com.au
Tue Aug 2 21:57:53 CDT 2005
Hello Scott -
Understood.
You should check with the vendors concerned to determine how best to
do the radius authentication.
I will be happy to help if you can send me any relevant URL's.
regards
Hugh
On 3 Aug 2005, at 12:51, Scott Ehnert wrote:
> Thanks for the clarification and patience. Unfortunately (or
> fortunately depending on your perspective), I am using several types
> of gear, none of which are Cisco. Radius is the only option supported
> by all the various platforms for authentication.
>
> Regards,
>
> -=Scott
>
> On 8/2/05, Hugh Irvine <hugh at open.com.au> wrote:
>
>>
>> Hello Scott -
>>
>> Even for configuration access, radius is used in the same way as
>> described in my previous mail.
>>
>> BTW - if this is for Cisco equipement, Radiator now supports full
>> TACACS+ operation for authentication, authorisation and accounting.
>>
>> There is an example in "goodies/tacacsplusserver.cfg".
>>
>> regards
>>
>> Hugh
>>
>>
>> On 3 Aug 2005, at 12:22, Scott Ehnert wrote:
>>
>>
>>> Hello Hugh,
>>>
>>> Thank you for the quick reply. I believe I may have made a
>>> mistake by
>>> using the term NAS. What I am trying to do is establish radius
>>> authentication for configuration access to routers and switches
>>> in my
>>> network. This is opposed to authenticating PPP dialup users for
>>> instance. In this case, I believe my query makes more sense?
>>>
>>> Regards,
>>>
>>> -=Scott
>>>
>>> On 8/2/05, Hugh Irvine <hugh at open.com.au> wrote:
>>>
>>>
>>>>
>>>> Hello Scott -
>>>>
>>>> When you enable radius authentication on a network device (NAS)
>>>> it is
>>>> generally to avoid having to define anything on the NAS at all.
>>>>
>>>> What is uaually done is to return suitable radius reply
>>>> attributes in
>>>> the access accept that are appropriate for the particular user
>>>> (rewritten usernames are not returned to the NAS except in very
>>>> particular circumstances).
>>>>
>>>> So in your case you would use AddToReply in your AuthBy clause for
>>>> common reply attributes, together with any relevant reply
>>>> attributes
>>>> defined on a per-user basis. You can use multiple AuthBy clauses if
>>>> required.
>>>>
>>>>
>>>> <Realm box.somenet.net>
>>>> RewriteUsername s/^([^@]+).*/$1/
>>>> <AuthBy LDAP2>
>>>> NoDefault
>>>> Host localhost
>>>> AuthDN cn=admin, dc=somenet, dc=net
>>>> AuthPassword <scrubbed>
>>>> BaseDN dc=somenet, dc=net
>>>> Version 3
>>>> UsernameAttr cn
>>>> PasswordAttr passwd
>>>> ServerChecksPassword
>>>> Debug 255
>>>> AddToReply ......
>>>> </AuthBy>
>>>> # Log accounting to a detail file
>>>> AcctLogFileName %D/detail
>>>> </Realm>
>>>>
>>>>
>>>> hope this helps
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>>
>>>> On 3 Aug 2005, at 10:40, Scott Ehnert wrote:
>>>>
>>>>
>>>>
>>>>> Hello,
>>>>>
>>>>> Warning: novice radius user...
>>>>>
>>>>> What I am trying to accomplish is this:
>>>>>
>>>>> Any given user tries to connect to a network device by connecting
>>>>> with
>>>>> their username, i.e. 'ssh someuser at box.somenet.net'. The Radius
>>>>> server authenticates on user 'someuser', maps that to a pre-
>>>>> defined
>>>>> access class, then rewrites 'someuser' to user 'full-access'
>>>>> after the
>>>>> LDAP authentication has been completed. User 'full-access'
>>>>> will be
>>>>> defined as a user on the NAS, this way I don't have to define
>>>>> individual users on each individual device, I can instead define a
>>>>> class with appropriate privileges.
>>>>>
>>>>> What happens now if I use the RewriteUsername function is that it
>>>>> does
>>>>> the rewrite before the LDAP authorization occurs, returning an
>>>>> Access-Reject as there is no username.
>>>>>
>>>>> Is this something that can be accomplished as I have described
>>>>> it? Is
>>>>> there a different/better way?
>>>>>
>>>>> ----Archive info----
>>>>> I found one reference in the archive that may be appropriate...
>>>>>
>>>>> http://www.open.com.au/archives/radiator/2004-06/msg00170.html
>>>>> You may need to remove the first User-Name before adding the
>>>>> second
>>>>> one (whether this works on the Cisco remains to be seen).
>>>>>
>>>>> StripFromReply User-Name
>>>>> AddToReply User-Name = .....
>>>>>
>>>>> ----end Archive info----
>>>>>
>>>>> my basic info follows. I have the first rewrite to strip the
>>>>> Realm,
>>>>> the second rewrite is currently for testing and is not intended
>>>>> to be
>>>>> the final syntax.
>>>>>
>>>>> config file snippet:
>>>>>
>>>>> <Realm box.somenet.net>
>>>>> RewriteUsername s/^([^@]+).*/$1/
>>>>> <AuthBy LDAP2>
>>>>> NoDefault
>>>>> Host localhost
>>>>> AuthDN cn=admin, dc=somenet, dc=net
>>>>> AuthPassword <scrubbed>
>>>>> BaseDN dc=somenet, dc=net
>>>>> Version 3
>>>>> UsernameAttr cn
>>>>> PasswordAttr passwd
>>>>> ServerChecksPassword
>>>>> Debug 255
>>>>> RewriteUsername s/^.*/radius2/
>>>>> </AuthBy>
>>>>> # Log accounting to a detail file
>>>>> AcctLogFileName %D/detail
>>>>> </Realm>
>>>>>
>>>>> radiusd output snippet:
>>>>>
>>>>> Tue Aug 2 17:10:55 2005: DEBUG: No entries for radius2 found in
>>>>> LDAP database
>>>>> Tue Aug 2 17:10:55 2005: DEBUG: Radius::AuthLDAP2 looks for match
>>>>> with radius2
>>>>> Tue Aug 2 17:10:55 2005: INFO: Access rejected for radius2: No
>>>>> such user
>>>>> Tue Aug 2 17:10:55 2005: DEBUG: Packet dump:
>>>>> *** Sending to 10.255.255.243 port 4491 ....
>>>>>
>>>>> Packet length = 36
>>>>> 03 d8 00 24 b4 04 34 15 54 42 24 21 81 5e 69 53
>>>>> ba f9 db 11 12 10 52 65 71 75 65 73 74 20 44 65
>>>>> 6e 69 65 64
>>>>> Code: Access-Reject
>>>>> Identifier: 216
>>>>> Authentic: Z<255><18><244><1><240>)<16><188><27>
>>>>> $<148><165><5><168>s
>>>>> Attributes:
>>>>> Reply-Message = "Request Denied"
>>>>>
>>>>>
>>>>> Thanks for any help,
>>>>>
>>>>> -=Scott
>>>>>
>>>>> --
>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>> Announcements on radiator-announce at open.com.au
>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> NB:
>>>>
>>>> Have you read the reference manual ("doc/ref.html")?
>>>> Have you searched the mailing list archive (www.open.com.au/
>>>> archives/
>>>> radiator)?
>>>> Have you had a quick look on Google (www.google.com)?
>>>> Have you included a copy of your configuration file (no secrets),
>>>> together with a trace 4 debug showing what is happening?
>>>>
>>>> --
>>>> Radiator: the most portable, flexible and configurable RADIUS
>>>> server
>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>> -
>>>> Nets: internetwork inventory and management - graphical,
>>>> extensible,
>>>> flexible with hardware, software, platform and database
>>>> independence.
>>>> -
>>>> CATool: Private Certificate Authority for Unix and Unix-like
>>>> systems.
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/
>> radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list