(RADIATOR) using different nas for user groups
Hugh Irvine
hugh at open.com.au
Fri Mar 11 10:06:59 CST 2005
Hello -
Your configuration file looks quite good.
What I usually do for your type of situation is use the Identifier in
the Client clauses to indicate what group it belongs to, then you can
use a check item in the user record and/or in the Handlers to do the
authentication.
Something like this:
<Client 1.1.1.1>
Identifier NAS-Group-1
.....
</Client>
<Client 2.2.2.2>
Identfier NAS-Group-1
.....
</Client>
<Client 3.3.3.3>
Identifier NAS-Group-1
.....
</Client>
.....
<Client n.n.n.n>
Identifier NAS-Group-X
.....
</Client>
.....
<Handler Client-Identifier = NAS-Group-1>
.....
</Handler>
<Handler Client-Identifier = NAS-Group-2>
.....
</Handler>
.....
<Handler Client-Identifier = NAS-Group-X>
.....
</Handler>
.....
For user check items in a flat file you would do this (or the
equivalent in LDAP or SQL or whatever):
someuser Password = xxxxxxx, Client-Identifier = NAS-Group-1
.....
.....
hope that helps
Hugh
On 11 Mar 2005, at 13:37, CHS wrote:
> hi,
> we have the following situation for dial-up and adsl customers which
> we want to handle with radiator. we do auth by ldap and accounting &
> logging by mysql db which is allready working.
> we have a lot of nas servers and a lot of different dial-up groups to
> handle and therefor want to specify different nas-server for different
> user groups.
> e.g. a user of type A should only be allowed to login through nas
> server 1.2.3.4 and 2.3.4.5 and user of type B should only be allowed
> to login through 1.2.3.4. one possibility for that would be to give
> the user every nas-ip-address that he can log in which would work but
> is not that comfortable when you change ip or add some nas servers.
>
> therefore we thought it would be nice to have something like an
> identifier for the user which is stored by the user in ldap db. in the
> radius config I want to define something like a pool and tell him the
> ip's of the nas where the user is allowed to login.
>
> I tried to do that through handlers but I don't know how bind the user
> to a goup and the group to the nas server.
>
> could you please tell me how to do that.
>
> thanks,
> stormc
>
> here is the radiator config file
> # ldap.cfg
> #
>
> Foreground
> LogStdout
> LogDir .
> LogFile /var/log/radius.log
> DbDir /usr/local/etc/******
>
> # Debugging Level & Logging
> # 0 ERR.Error conditions. Serious and unexpected failures
> # 1 WARNING. Warning conditions. Unexpected failures
> # 2 NOTICE. Normal but significant conditions.
> # 3 INFO. Informational messages.
> # 4 DEBUG. Debugging messages.
> # 5 Incoming raw packet dumps in hexadecimal.
> Trace 4
>
> PidFile /var/run/radius.pid
>
> ### NAS CLIENTS ###
> # default client if no other is defined
> <Client DEFAULT>
> Secret mysecret
> DupInterval 0
> </Client>
>
> ## Test Client ##
> <Client 1.2.3.4>
> Identifier Client1
> Secret xxxx
> # convert domain\username to username at domain
> # RewriteUsername s/^(.*)\\(.*)/$2\@$1/
> </Client>
>
> <ClientListLDAP>
> # Tell Radiator how to talk to the LDAP server
> Host localhost
>
> # LDAP server authentication.
> AuthDN cn=***, dc=***, dc=***
> AuthPassword ****
>
> # This the top of the search tree where realm records
> # will be found. It should match the configuration
> # of your server, see /etc/openldap/slapd.conf
> BaseDN dc=***, dc=***
>
> # You can control the LDAP protocol version to be used
> # to talk to the LDAP server. OpenLDAP 2 requires
> # Version 3 unless you have 'allow bind_v2' in your
> # slapd.conf. Defaults to version 2
> Version 3
>
> # SearchFilter specifies how to find the LDAP records that
> contain Client configuration information
> SearchFilter (&(objectclass=oscRadiusClient)(uid=%1))
>
> # Time in seconds that the clientldap db will be reread
> RefreshPeriod 1800
>
> # ClientAttrDef parameters allow you to alter the set of LDAP
> attributes that will be fetched
> # Format is 'ClientAttrDef ldapattrname,clientparamname'
> ClientAttrDef oscRadiusClientName,Name
> ClientAttrDef oscRadiusSecret,Secret
> #ClientAttrDef oscRadiusIgnoreAcctSignature,IgnoreAcctSignature
> #ClientAttrDef oscRadiusDupInterval,DupInterval
> ClientAttrDef oscRadiusNasType,NasType
> ClientAttrDef oscRadiusSNMPCommunity,SNMPCommunity
> #ClientAttrDef oscRadiusLivingstonOffs,LivingstonOffs
> #ClientAttrDef oscRadiusLivingstonHole,LivingstonHole
> #ClientAttrDef
> oscRadiusFramedGroupBaseAddress,FramedGroupBaseAddress
> #ClientAttrDef
> oscRadiusFramedGroupMaxPortsPerClassC,FramedGroupMaxPortsPerClassC
> #ClientAttrDef
> oscRadiusFramedGroupPortOffset,FramedGroupPortOffset
> #ClientAttrDef oscRadiusRewriteUsername,RewriteUsername
> #ClientAttrDef
> oscRadiusUseOldAscendPasswords,UseOldAscendPasswords
> #ClientAttrDef
> oscRadiusStatusServerShowClientDetails,StatusServerShowClientDetails
> #ClientAttrDef oscRadiusPreHandlerHook,PreHandlerHook
> #ClientAttrDef oscRadiusPacketTrace,PacketTrace
> #ClientAttrDef oscRadiusIdenticalClients,IdenticalClients
> #ClientAttrDef oscRadiusNoIgnoreDuplicates,NoIgnoreDuplicates
> #ClientAttrDef oscRadiusDefaultReply,DefaultReply
> #ClientAttrDef oscRadiusFramedGroup,FramedGroup
> #ClientAttrDef oscRadiusStripFromReply,StripFromReply
> #ClientAttrDef oscRadiusAllowInReply,AllowInReply
> #ClientAttrDef oscRadiusAddToReply,AddToReply
> #ClientAttrDef
> oscRadiusAddToReplyIfNotExist,AddToReplyIfNotExist
> #ClientAttrDef oscRadiusDynamicReply,DynamicReply
> #ClientAttrDef oscRadiusStripfromRequest,StripfromRequest
> #ClientAttrDef oscRadiusAddToRequest,AddToRequest
> #ClientAttrDef
> oscRadiusAddToRequestIfNotExist,AddToRequestIfNotExist
> </ClientListLDAP>
>
> ##################
> ### ACCOUNTING ###
>
> <AuthBy SQL>
> Identifier AcctSQL
> DBSource dbi:mysql:*******
> DBUsername ******
> DBAuth ******
>
> # !!! Table must exist !!!
> AccountingTable ACCOUNTING%Y%m
>
> AcctColumnDef USERNAME,User-Name
> AcctColumnDef TIME_STAMP,Timestamp,integer
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
> AcctColumnDef NASIDENTIFIER,NAS-Identifier
> AcctColumnDef NASPORT,NAS-Port,integer
> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
>
> AcctFailedLogFileName /usr/local/etc/radiator/missedaccounting
>
> </AuthBy>
>
> ########################
> ### AUTHENTIFICATION ###
>
> <AuthBy LDAP2>
> Identifier CheckLDAP
>
> # Tell Radiator how to talk to the LDAP server
> Host localhost
>
> # LDAP server authentication.
> AuthDN cn=***, dc=***, dc=***
> AuthPassword ***
>
> # This the top of the search tree where users will be found.
> BaseDN dc=***, dc=***
> #BaseDN %0=%1,dc=**, dc=**
>
> # This is the LDAP attribute to match the radius user name
> #UsernameAttr cn
> UsernameAttr uid
>
> PasswordAttr userPassword
>
> DefaultSimultaneousUse 1
>
> # CheckAttr, ReplyAttr and AuthAttrDef
> AuthAttrDef radiusFramedIPAddress,Framed-IP-Address,reply
> AuthAttrDef radiusFramedRoute,Framed-Route,reply
> AuthAttrDef radiusFramedRouting,Framed-Routing,reply
> AuthAttrDef radiusFramedProtocol,Framed-Protocol,reply
> AuthAttrDef Cisco-AVPair,Cisco-AVPair,reply
>
> #AuthAttrDef nasPortType,NAS-Port-Type,check
> AuthAttrDef radiusLoginLATPort,NAS-Port-Type,check
>
>
> # These are the classic things to add to each users
> AddToReply Framed-Protocol = PPP,\
> Framed-IP-Netmask = 255.255.255.255,\
> #Framed-Routing = None,\
> Framed-MTU = 1500,\
> Framed-Compression = Van-Jacobson-TCP-IP
>
> # Debugging of the Net::LDAP
> Debug 255
>
> # With LDAP2, You can enable SSL or TLS with perl-ldap 0.22 and
> better
> # by setting UseSSL or UseTLS. Not supported on Windows
> #UseSSL
> # UseTLS
> # If you set UseSSL or UseTLS, also need to set these:
> #SSLCAClientCert certificates/cert-clt.pem
> #SSLCAClientKey whatever
> # (certificates in PEM format)
> # Also need to set one of:
> #SSLCAFile certificates/demoCA/cacert.pem
> # SSLCAPath /path/to/file/containing/certificate/of/CA
> # (certificates in PEM format)
> # These set the corresponding parameters in the
> # LDAPS connection (see perl-ldap docs)
> # Requires IO::Socket::SSL, Net::SSLeay and openssl
>
> # You can control the timout for connection failure
> Timeout 5
> FailureBackoffTime 10
>
> # You can control the LDAP protocol version to be used
> # to talk to the LDAP server. OpenLDAP 2 requires
> # Version 3 unless you have 'allow bind_v2' in your
> # slapd.conf. Defaults to version 2
> Version 3
> </AuthBy>
>
>
> <Handler Request-Type=Accounting-Request>
> AuthBy AcctSQL
> </Handler>
>
> <Handler Request-Type=Access-Request>
> # Delete @auol.at from the User-Name
> RewriteUsername s/^([^@]+).*/$1/
>
> # Give additional message if "Request Denied"i
> RejectHasReason
>
> AuthBy CheckLDAP
> </Handler>
>
> ## test handler
> #<Handler
>
> ###############
> ### LOGGING ###
>
> # Add SQL Logging to mySQL DB (Table RADLOG%Y%m)
> <Log SQL>
> DBSource dbi:mysql:******
> DBUsername ***
> DBAuth ***
> Table RADLOG%Y%m
> FailureBackoffTime 20
> Trace 3
> </Log>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: I am travelling this week, so there may be delays in our
correspondence.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list