[RADIATOR] Checking if attribute is within an IP subnet

Hugh Irvine hugh at open.com.au
Fri Mar 3 06:46:28 UTC 2017


Hello Daniel -

I don’t know enough about your exact setup, but you should be able to do something like this:


# InBand VPN
<Handler Client-Identifier=network-security-ib>
        # Require vpn-inband Group
        AddToRequest ADGroup="CN=vpn-inband,CN=xxx"
 
        # Continue Auth until acceptable permission set is found
        AuthByPolicy            ContinueUntilAccept
 
        # Try emergency-user before asking AD
        AuthBy AuthByFile
 
	# AuthBy GROUP to change AuthByPolicy

	<AuthBy GROUP>

		AuthByPolicy ContinueWhileAccept

	        # Try to authenticate against AD
        	AuthBy AuthByAD

		# AuthBy INTERNAL RequestHook to accept or reject 
		# depending on what is added to the reply by the previous PostSearchHook
		# ie. a ReplyMessage that says to reject for example

		<AuthBy INTERNAL>
			RequestHook …..
		</AuthBy>

	</AuthBy>

</Handler>


There are a number of example hooks in the Radiator distribution in “goodies/hooks.txt”.

regards

Hugh

> On 2 Mar 2017, at 23:33, daniel.herrmann at zv.fraunhofer.de wrote:
> 
> Hello Hugh,
> 
>> On 02.03.17, 05:24 "Hugh Irvine" hugh at open.com.au wrote:
>> Probably the simplest way to do this is with a PostSearchHook.
> 
> maybe I understood you wrong, but I am not sure how this will help. I could do the IP address check in the hook, If I understood correctly, the RADIUS request will be passed to the hook. Two questions however remain:
> 
> In summary, the overall logic should look like this:
> 
> User is authenticated against local fallback user store
>     Permit
> User is member of VPN AD group and student AD group:
>     If source-ip in range
>             Permit
>     else
>             Deny
>     endif
> User is member of OOB VPN group:
>      Permit
> Else
>      Deny
> 
> Two questions:
> 
> - I understand that the “if source-ip”… part can be done in the Post Search Hook. How would I return a value such that the request will be denied?
> - How can I check if a user is member of two groups and only then check the IP address?
> 
> Thanks again and best regards
> Daniel
> 


--

Hugh Irvine
hugh at open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.



More information about the radiator mailing list