Re: Freeradius privilege separation

2010-05-14 Thread Michał Dopierała 
Thanks for response!

So, users file can look like this:
users=

 mdopierala Packet-Src-IP-Address == 192.168.1.1, Crypt-Password =
"some_hash"
Service-Type = "Administrative-User",
Cisco-AVPair="shell:priv-lvl=15",
Brocade-Auth-Role ="Administrator"

 mdopierala Packet-Src-IP-Address == 192.168.1.2, Crypt-Password =
"some_hash2"
Service-Type = "Administrative-User",
Cisco-AVPair="shell:priv-lvl=1",
Brocade-Auth-Role ="Administrator"

=

This way user mdopierala will have priv-lvl=15 to router1 and priv-lvl=1 to
router2?
I have a lot of users and clients in my environment(a lot of
network equipments and administrators).  Can I make any groups of this users
and clients and then make policies to this groups? This way I could add new
users to this groups apart from making separate policies.
Unfortunately I work on producing environment and I can't make as many test
as I wish.

2010/5/14 Alan DeKok 

> Michał Dopierała wrote:
> > It is possible in freeradius to have one user who has full privilege
> > level to one equipment (one cisco router privilege lvl15), and limited
> > privilege level to other equipment (other router with smaller privilege
> > e.g. lvl10 which will be configured on router)?
>
>   Yes.
>
> > How to separate it?
>
>  How are the requests different?  Use that information to separate the
> policies for the two routers.
>
> > My current configuration of users:
> >
> >  mdopierala  Auth-Type := PAP, Crypt-Password = "passwrd"
>
>   DON'T set Auth-Type.  Honestly.  This should be written in huge
> letters everywhere on all of the documentation.
>
> > Service-Type = "Administrative-User",
> > Cisco-AVPair="shell:priv-lvl=15",
> > Brocade-Auth-Role ="Administrator"
>
>   And it doesn't contain any *conditional* checks for different clients.
>
>  You could do:
>
> mdopierala Packet-Src-IP-Address == 192.168.1.1, Cleartext-Password := ...
>...
>
>
>  i.e. check for NAS IP, and return different results based on that.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius privilege separation

2010-05-13 Thread Michał Dopierała 
Hi!

It is possible in freeradius to have one user who has full privilege level
to one equipment (one cisco router privilege lvl15), and limited privilege
level to other equipment (other router with smaller privilege e.g. lvl10
which will be configured on router)?
How to separate it?
My current configuration of users:

 mdopierala  Auth-Type := PAP, Crypt-Password = "passwrd"
Service-Type = "Administrative-User",
Cisco-AVPair="shell:priv-lvl=15",
Brocade-Auth-Role ="Administrator"

and part of clienf.conf

client 192.168.1.1 {
secret = community
shortname = router1
}
client 192.168.1.2 {
secret = community
shortname = router2
}


I'm waiting for response
Michal Dopierala
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html