Hi All,
We are using Freeradius to authenticate network administrators when they login
to their switches and routers. The setup is working fine as follows:
User telnets to switch and enters username and password.
Switch passes authentication request to Freeradius.
Freeradius authenticates user against AD.
The users are all defined in the users file - the lines I've added or changed
from default are below:
superuser1 Auth-Type = ntlm_auth
superuser2 Auth-Type = ntlm_auth
loweruser1 Auth-Type = ntlm_auth
loweruser2 Auth-Type = ntlm_auth
DEFAULT Group == "disabled", Auth-Type := Reject
Reply-Message = "You are not permitted to access this system"
The idea is that superusers are allowed to login to any of the 200 network
devices whilst users are only allowed to login to a subset of say 50 devices.
It's straightforward enough for the superusers and works fine but I'm stumped
on how to handle the others. I have tested the following OK in
sites-enabled/default:
if ("%{User-Name}" == loweruser1) {
update reply {
Reply-Message := "Mark Whitmarsh not allowed here"
}
reject
}
If I login as loweruser1 it rejects me as expected. I think I need to put my
users and network devices into groups so I can test for variables but I'm stuck
on how to do that.
After reading lots of man pages and getting nowhere I've hit one of those
annoying mental blocks and need some help.
Thanks,
Mark Whitmarsh.
********************************************************************************************************************
This message may contain confidential information. If you are not the intended
recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take
any action in reliance on its contents:
to do so is strictly prohibited and may be unlawful.
Thank you for your co-operation.
NHSmail is the secure email and directory service available for all NHS staff
in England and Scotland
NHSmail is approved for exchanging patient data and other sensitive information
with NHSmail and GSI recipients
NHSmail provides an email address for your career in the NHS and can be
accessed anywhere
For more information and to find out how you can switch, visit
www.connectingforhealth.nhs.uk/nhsmail
********************************************************************************************************************
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
