RE: Authentication based on interface?
You forgot to mention how your radius server is configured, using the system password file, sql, LDAP? Either way though, as a general solution you should be able to separate the two by adding NAS-Port and group as check conditions to the users file. You'll need one for each interface. http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur _c/scprt2/scrad.htm#xtocid182648 See also the cisco doc that comes with freeradius. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Anastasios Sotiropoulos Sent: 21 October 2003 01:49 To: [EMAIL PROTECTED] Subject: Authentication based on interface? I have a cicso 3600 with 2 physical interfaces (2 ISDN PRIs) and want to make 2 usergroups with separate access to them (ex. group1 can login only from Serial0/0, and group2 - Serial1/0). How could that be done? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- This email, and any files transmitted with it, is copyright and may contain confidential information. The contents are intended for the use of the addressee(s) only. Unauthorized use may be unlawful. If you receive this email by mistake, please advise sender immediately. The views of the author may not necessarily constitute the views of Telco Electronics Limited. Nothing in this mail shall bind Telco Electronics Limited in any contract or obligation. Telco Electronics Limited 6-8 Oxford Court Brackley Northants NN13 7XY Tel 07000 701999 Fax 07000 701777 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication based on interface?
You forgot to mention how your radius server is configured, using the system
password file, sql, LDAP?
I am using mysql.
Either way though, as a general solution you should be able to separate the
two by adding NAS-Port and group as check conditions to the users file.
You'll need one for each interface.
I was thinking about checking the interface, but the it appears only when
NAS-Port-Type=ISDN:
Vendor-Specific = V9:T1:L24:interface=Serial0/0:30
NAS-Port-Type = ISDN ^^^
NAS-Port = 20030
When someone calls from PSTN it doesnt report any Vendor-Specific, but
just Async and a port number:
Cisco-AVPair = interface=Async92
NAS-Port-Type = Async
NAS-Port = 92
(Sometimes instead of NAS-Port = 92 I get NAS-Port = 1312686172,why?!)
Since I dont get the interface (Serialx/y) info every time, the only way
is to check if the NAS-Port is between a specific range if I get it right.
Something like that perhaps?
insert into radgroupcheck values('0','group1','NAS-Port','65-94',:=')
insert into radgroupcheck values('0','group2','NAS-Port','97-128',:=')
... .... ,'20001-20030' (for ISDN)
supposing that Serial0/0 has ports 65-94, and Serial1/0 97-128.
I'm not very familiar with sql syntax, so I'd appreciate some help on
that...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication based on interface?
I was thinking about checking the interface, but the it appears only when
NAS-Port-Type=ISDN:
Vendor-Specific = V9:T1:L24:interface=Serial0/0:30
NAS-Port-Type = ISDN ^^^
NAS-Port = 20030
Have you ran FreeRADIUS in debug mode (radiusd -X) and done a capture of all
the attributes the router sends for the various protocols? A dump of that
may be useful
When someone calls from PSTN it doesnt report any Vendor-Specific, but
just Async and a port number:
Cisco-AVPair = interface=Async92
NAS-Port-Type = Async
NAS-Port = 92
(Sometimes instead of NAS-Port = 92 I get NAS-Port = 1312686172,why?!)
Did you have a look at the link to cisco's web site I sent? Look for 'aaa
nas-port extended'
Since I dont get the interface (Serialx/y) info every time, the only way
is to check if the NAS-Port is between a specific range if I get it right.
Something like that perhaps?
insert into radgroupcheck values('0','group1','NAS-Port','65-94',:=')
insert into radgroupcheck values('0','group2','NAS-Port','97-128',:=')
... ....
,'20001-20030' (for ISDN)
supposing that Serial0/0 has ports 65-94, and Serial1/0 97-128.
I'm not very familiar with sql syntax, so I'd appreciate some help on
that...
Close, here's an example
INSERT INTO radcheck VALUES (1,'user1','Password',':=','testing123');
INSERT INTO radcheck VALUES
(2,'user2','User-Password',':=','VRs1vR06MAQ2M');
INSERT INTO radgroupcheck VALUES (1,'group1','Auth-Type',':=','Local');
INSERT INTO radgroupcheck VALUES (2,'group2','Auth-Type',':=','PAP');
INSERT INTO radgroupcheck VALUES (3,'group1','NAS-Port','==','65-94');
INSERT INTO radgroupcheck VALUES (4,'group2','NAS-Port','==','97-128');
INSERT INTO usergroup VALUES (1,'user1','group1');
INSERT INTO usergroup VALUES (2,'user2','group2');
the password for 'user2' is stored using the SQL ENCRYPT function, they're
both authenticated against the SQL database.
If you haven't done so already, you may be able to get more information by
enabling the extended NAS-Port attribute.
See also the Cisco doc on RADIUS attributes at for NAS-Port
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csn
t30/user/ad.htm#1173
The easy part is locking users down by groups, the harder part is
determining the best way to lock those groups down by interface. It soly
depends on the information that the router presents via radius.
---
This email, and any files transmitted with it, is copyright and may contain
confidential information.
The contents are intended for the use of the addressee(s) only.
Unauthorized use may be unlawful.
If you receive this email by mistake, please advise sender immediately.
The views of the author may not necessarily constitute the views of Telco Electronics
Limited.
Nothing in this mail shall bind Telco Electronics Limited in any contract or
obligation.
Telco Electronics Limited
6-8 Oxford Court
Brackley
Northants
NN13 7XY
Tel 07000 701999
Fax 07000 701777
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication based on interface?
I have a cicso 3600 with 2 physical interfaces (2 ISDN PRIs) and want to make 2 usergroups with separate access to them (ex. group1 can login only from Serial0/0, and group2 - Serial1/0). How could that be done? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
