In article <bay154-w6ae2b5874b5015e85e875c0...@phx.gbl> you wrote: > > I'm a new subcriber of this list. I'm trying to setup a radius server > with LDAP authentication; I've managed to authenticate a user (from a > Cisco Device), but my fellows from Security Department think that we > should have a two-step authentication: > Ask your security folk for *today* a list of people who may only administrator one selection of devices and not the other. If they actually do not use the facility then it is a waste of time implementing it (it is easy enough to implement later on); I get the impression this is a "not needed but would be nice if this could be done". :)
Far more appropriate is to configure the switches to all log to a central syslog server (so you know who and when someone logged in and out) and configure something like RANCID to record the configuration changes. ...anyway, onto the problem. > 1. User/password authentication, searching in > cn=users,ou=pepe,ou=jose,c=es > > 2. A compare request, searching a specific objectclass in the LDAP > tree. > > So, the idea is the following one: depending on the NAS-IP-Address, > not only to check for a correct password, but search the uid in an > objectclass called owner in the entry cn=deviceX,ou=pepe,ou=jose,c=es. > > deviceX is the one with the source NAS-IP-Address. I Know how to > unlang using swicht statements, configuring differents ldap's modules > in the radius server, so I can write the basedn I want. > > But how can do the step 2? > The easiest approach is to create LDAP groups based on the NAS-IP-Address and then test to see if the user is a member of the group '%{NAS-IP-Address}'. Once you create the LDAP groups and make the users members of them you can use unlang in your 'authorize' section in a manner like: authorize { .... ldap if (Ldap-Group != "%{NAS-IP-Address}") { update reply { Reply-Message := "no way kiddo" } reject } ,,,, } This is off the top of my head but should give you what you are looking for; you will see in the output of 'freeradius -X' it doing what you roughly need. The only problem I can see with it is that if you have a lot of switches to log into, the number of groups you have to add a user to becomes a real tedious process; this problem could be solved by using something like the following instead: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg59481.html http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg62699.html Cheers -- Alexander Clouter .sigmonster says: I hate quotations. -- Ralph Waldo Emerson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html