[RADIATOR] Ideas on group and reply attribs parsing

Garry Shtern Garry.Shtern at twosigma.com
Thu Apr 4 15:24:45 CDT 2013 

Hi Heikki,

Thanks for the pointer.  What I want to accomplish (forgetting about the actual code), it define all of my users in a single file.  And in the same file to be able to distinguish which reply attributes are returned based on the RADIUS client.  That is, for example, if a user from a group "foo" tries to access the system using Aruba controller, then Reply Attribute might be Aruba-Priv-Admin-User=1.  Whereas, a different user who is part of a group "bar" comes via the same Aruba controller, then Reply Attribute might be Aruba-Priv-Admin-User=2. Additionally, if the is part of group "foo" but tries to access the system via a Cisco switch, he might get a Reply Attribute "Cisco-Account-Info=blah", and so on and so forth.

I can't seem to figure out how to do it in a single user fie.  The closest I came to was similar to what you are describing:

<Handler Client-Identifier=aruba-controller>
 	AuthByPolicy ContinueWhileAccept
	 AuthBy krb-ldap-auth (AuthBY GROUP)
	 AuthBy file-auth
</Handler>

Then in ldap-auth, I force retrieval of all groups that the user belongs to into a User-Groups comma-separated attribute.
<AuthBy LDAP2>
....
	PostSearchHook sub { $_[2]->add_attr('User-Groups', join(',',$_[0]->getUserGroups($_[1], $_[2]))); }
</AuthBy>

However, now comes the dilemma of forcing <AuthBy FILE> to match on individual group from the above list.  I am thinking of something like this in the user file
DEFAULT Client-Identifier=aruba-controller Group=foo
	Aruba-Priv-Admin-User=1

DEFAULT Client-Identifier=aruba-controller Group=bar
	Aruba-Priv-Admin-User=2

DEFAULT Client-identifier=cisco-switch Group=foo
	Cisco-Account-Info=blah


But, <AuthBy FILE> doesn't deal with groups by default, and I am not sure how to force to loop through all of the groups in User-Groups....

Thanks!


-----Original Message-----
From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Heikki Vatiainen
Sent: Thursday, April 04, 2013 3:53 PM
To: radiator at open.com.au
Subject: Re: [RADIATOR] Ideas on group and reply attribs parsing

On 04/04/2013 03:40 PM, Garry Shtern wrote:

> I am trying to accomplish the following goal and would love ideas on 
> the best way to accomplish it...

Have you considered something like:

<Handler Client-Identifier=abc>
  AuthByPolicy ContinueWhileAccept
  AuthBy krb-auth
  AuthBy ldap-auth
  # If still here, have authenticated and have group
  <AuthBy FILE>
    Filename users
    AuthenticateAttribute Group
  </AuthBy>
</Handler>

Where 'users' may look like this:
group1
    Custom-Attribute=1

group2
    Custom-Attribute=2

You are describing the problem in terms of configuration you are thinking about and this makes it quite hard for me to follow. Bouncing off from AuthBy FILE with Auth-Type check item seems quite complex and I'm thinking there's probably an easier way to do this.

Thanks,
Heikki


> -          Setup clients with identifiers.
> 
> -          In the user file specify multiple defaults, with
> Client-Identifier, Auth-Type and optional Group attributes in check 
> replies, and different reply attributes.
> 
> -          Defined custom AuthBy with identifiers in the policy file.
> 
>  
> 
> Example:
> 
> (users)
> 
> DEFAULT Client-Identifier=abc, Auth-Type=Krb-Ldap, Group=grp1
> 
>                 Custom-Attribute=1
> 
>  
> 
> DEFAULT Client-Identifier=abc, Auth-Type Krb-Ldap, Group=grp2
> 
>                 Custom-Attribute=2
> 
>  
> 
> (policy)
> 
> <AuthBy LDAP2>
> 
>                 Identifier Ldap
> 
> ...
> 
> </AuthBy>
> 
>  
> 
> <AuthBy KRB5>
> 
>                 Identifier Krb
> 
> ...
> 
> </AuthBy>
> 
>  
> 
> <AuthBy GROUP>
> 
>                 Identifier Krb-Ldap
> 
>                 AuthByPolicy ContinueWhileAccept
> 
>                 AuthBy krb-auth
> 
>                 AuthBy ldap-auth
> 
> </AuthBy>
> 
>  
> 
> I want the following:
> 
> -          Auth-TypeKrb-Ldap called only _once_, which will verify the
> user's password and retrieve all the groups he is part of.
> 
> -          Parse users file, matching the first DEFAULT where Group
> matches one of the groups that were retrieved above.
> 
> -          Have AuthBy's that don't support Groups check just ignore it,
> instead of returning a reject.
> 
>  
> 
> Thanks!
> 
>  
> 
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> 


--
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator

More information about the radiator mailing list