RE: Using groups to allow certain engineers access to certain switches??

Wed, 04 Aug 2004 02:46:15 -0700 

Hi 

We are facing a similar issue - though no segmentation fault - see attached
message.

In your case, since the setup seems to be quite simple, you can do a check
of the group and NAS-IP-Address.  In the users file it would be something
similar to:

DEFAULT         Auth-Type := System, Hint NAS-IP-Address ==
juniper_IP_Address, Group == "juniper"

DEFAULT         Auth-Type := System, Hint NAS-IP-Address ==
cisco_IP_Address, Group == "cisco"

You have to change the syntax since you're using LDAP.  Obviously, with
Huntgroups it would be simpler since you can group the cisco switches
together and have just one simple entry.  As a temporary fix, though, the
suggested workaround will work.

Geoff


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robert
Banniza
Sent: Wednesday, August 04, 2004 5:11 AM
To: [EMAIL PROTECTED]
Subject: Using groups to allow certain engineers access to certain
switches??

Guys,
I'm using Freeradius-0.9.3 with the rlm_ldap module (OpenLDAP backend)
and have most everything configured except this last little bit. I would
like to allow only certain users to have the ability to log in to only
certain switches. i.e. Cisco group will manage cisco devices and juniper
group can only manage juniper devices.

I thought I could do this by placing:

"Group = operator" 

in the huntgroups file under each individual huntgroup and then adding a 

"radiusReplyItem: Group := operator" 

in my ldap schema. However, this has managed to seg fault the radiusd
process. Is this the correct way to go about adding tiered access to my
routers/switches? If not, I would appreciate any help out there.

Robert

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--- Begin Message ---

Hi,

We are experiencing problems using the huntgroups file with freeradius-1.0.0-pre3.

Please note that the NAS-IP-Address is the same for both huntgroups ie 217.15.97.19. Using different NAS-IP-Addresses works fine

 

Huntgroups file is as follows :-

 

streamgamers   NAS-IP-Address == 217.15.97.19

                Group == users,

                Group == tech

 

gaming              NAS-IP-Address == 217.15.97.19

                Group == gamers,

                Group == users,

                Group == tech

 

 

Users file is as follows :-

 

DEFAULT         Auth-Type := System, Hint == "gamestream", Huntgroup-Name == "gaming", Service-Type == Framed-User

                Service-Type = Framed-User,

                Framed-Protocol = PPP,

 

DEFAULT         Auth-Type := System, Hint == "stream", Huntgroup-Name == "streamgamers", Service-Type == Framed-User

                Service-Type = Framed-User,

                Framed-Protocol = PPP,

 

Hints file is as follows :-

 

DEFAULT Suffix == "@stream", Strip-User-Name = Yes

        Hint = "stream"

 

DEFAULT Suffix == "@gamestream", Strip-User-Name = Yes

        Hint = "gamestream"

 

 

The problem we have is the following :-

Imagine 2 users

john1 in group gamers

peter1 in group tech

 

we require john1 to obtain access using only the @gamestream realm

if [EMAIL PROTECTED] tries to connect he is denied access stating the following error :-

            Mon Jul 26 10:39:24 2004 : Auth: No huntgroup access: [john1]

If [EMAIL PROTECTED] tries to connect he is denied access

If [EMAIL PROTECTED] tries to connect he is allowed access

If [EMAIL PROTECTED] tries to connect he is allowed access

 

 

Now if we modify the huntgroups file as follows putting the gaming huntgorup first (the one with more groups):-

 

gaming              NAS-IP-Address == 217.15.97.19

                Group == gamers,

                Group == users,

                Group == tech

 

streamgamers   NAS-IP-Address == 217.15.97.19

                Group == users,

                Group == tech

 

And try the users again :-

we require john1 to obtain access using only the @gamestream realm

if [EMAIL PROTECTED] tries to connect he is allowed access

If [EMAIL PROTECTED] tries to connect he is allowed access (which is not required)

If [EMAIL PROTECTED] tries to connect he is allowed access

If [EMAIL PROTECTED] tries to connect he is allowed access

 

This means that for some reason only the first list of groups is matching

 

Can you help us out. If you require further details just ask.

Thanks for your time!

 

Regards,

------------------------------------------------
David Mifsud
Network Engineer
DataStream Ltd.
Office Direct: 2567 7230
Office General: 2567 7000
URL: <http://www.datastream.com.mt/>

This Email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions represented are solely those of the author and do not necessarily represent those of Datastream Ltd. If you are not the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding,printing or copying of this Email is strictly prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake or call +356 21482000 and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or free of errors as information could be intercepted, corrupted, lost, destroyed, delayed or incomplete, and/or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of Email Transmission.

 


--- End Message ---

Reply via email to