[RADIATOR] Checking if attribute is within an IP subnet

daniel.herrmann at zv.fraunhofer.de daniel.herrmann at zv.fraunhofer.de
Tue Feb 28 13:20:14 UTC 2017 

Hi,

I want to achieve the following using Radiator:

Users connect via VPN to our Cisco ASA using AnyConnect, which authenticates the users via RADIUS. The Handler on Radiator is as follows. Basically, users belong to a group in our AD, let’s say vpn-inband. The client statement of the firewall includes the respective client-identifier to map the request to the handler.

--- schnip ---
##############################################
############# Authenticate VPN  ##############
############## Cisco ASA VPN #################
##############################################

# InBand VPN
<Handler Client-Identifier=network-security-ib>
        # Require vpn-inband Group
        AddToRequest ADGroup="CN=vpn-inband,CN=xxx"

        # Continue Auth until acceptable permission set is found
        AuthByPolicy            ContinueUntilAccept

        # Try emergency-user before asking AD
        AuthBy AuthByFile

        # Try to authenticate against AD
        AuthBy AuthByAD
</Handler>
--- schnapp ---

AuthBy AD actually just authenticates against AD:

--- schnip ---
<AuthBy LDAP2>
         # Define DC to connect to
         Host                    oob-ldap-proxy

         # Identifier to use this AuthBy Clause later
         Identifier AuthByAD

         # Administrative user used to perform LDAP queries
         AuthDN                  xxxxx
         AuthPassword            xxxx

         # Where to search for users
         BaseDN                  OU=xxx-User,DC=xxx
         ServerChecksPassword

         # Add Check for group membership
         AuthAttrDef memberOf, ADGroup, check

         # Reply should include the group names for further processing
         AuthAttrDef memberOf, ADGroups, reply

         # There will be no default User
         NoDefault

         # LDAP attribute to check the UserName on
         UsernameAttr            sAMAccountName
         AuthAttrDef             logonHours,MS-Login-Hours,check
</AuthBy>
--- schnap ---

So far, this is already working. Let’s now say, some of the users have an additional group in AD, say “CN=student,CN=xxx”. In this case, I want to restrict the source-IP they may use to connect to the VPN. The Appliance itself cannot handle this, but the RADIUS request includes the source IP.

--- snip ---
Attributes:
        User-Name = "daniel.herrmann"
        Calling-Station-Id = "10.1.0.10"
--- snap ---

I want to create this logic:

If user has both the inband and student group, he may only connect if the Calling-Station-Id is within a specific range, say 10.10.10/24. If the user is only in the inband group and not within the student group, he may connect from everywhere.

What would be the easiest way to build this in Radiator?

Thanks and best regards
Daniel


--
Daniel Herrmann
Network Architect – Fraunhofer Private Cloud
CCIE #55056 (Routing and Switching)
Cisco CCDP, CCIP; Fluke CCTT

Fraunhoferstraße 5, 64283 Darmstadt
Mail: daniel.herrmann at zv.fraunhofer.de

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.open.com.au/pipermail/radiator/attachments/20170228/15488928/attachment.html>

More information about the radiator mailing list