I need to assign different RADIUS return attributes for a set of users based on what the user is attempting to authenticate to. I’m using an SQL resolver and have created custom user attributes and assigned them to the user, E.G., APC, Cisco, Arista. I have already configured Authorization policies in PI and distinguished Client IPs per policy.
As an example, I have a user, jdoe, that needs privilege 15 access to all Cisco devices(radius return should be ‘priv-lvl=15’) but that same user should be able to login to APC UPS network management cards with ‘Admin’ privileges and Arista switches with priv 15(‘shell:priv-lvl=15’).
What I’m noticing is my rlm_perl.ini config is sending all responses to users for all configurations I have set(cisco priv 15, APC Admin, Arista priv 15). I only want a return response based on what that user is trying to access(cisco switch vs arista switch vs APC etc). Anyone have any insight if this is possible? Thanks.
I need to be able to have the rlm_perl.ini file send RADIUS responses based on specific device logins, E.G, user jdoe should have “priv-lvl=15” ONLY when logging into Cisco switches. That same user should get RADIUS response “Administrative-User” ONLY when logging into APC UPS network cards.
I’m not a software engineer so I really don’t know if I need to modify the privacyidea_radius.pm file to make this work but what I’m seeing is all RADIUS responses I have set in the ini file are being sent to the user jdoe regardless of what the user is logging into. This presents problems with say vpn since some of these attributes are invalid for a vpn response. Any help is welcomed. Thanks.
Hi,
we had a similar requirement. I solved it with custom clients, pre- and post-auth scripts.
I changed the clients.conf and added $INCLUDE /etc/freeradius/3.0/clients/
and in sites-enabled/privacyidea:
To anyone looking to find a solution to my original post, I was able to figure it out through TONS of blood, sweat, and tears. See the following:
I wanted to send RADIUS replies based on a device type(Switch, router, firewall, etc). To do this, you MUST modify the freeradius dictionary to declare the “nast_type” attribute:
nano /etc/freeradius/3.0/dictionary:
ATTRIBUTE nas_type 3001 string
Then, you need to set the “nas_type” for each of your RADIUS clients:
nano /etc/freeradius/3.0/clients.conf:
client x.x.x.x {
secret = password
shortname = Switch1
nas_type = Switch
}
(rinse and repeat as necessary)
Then, you need to modify /etc/freeradius/3.0/sites-enabled/privacyidea to set the attributes and replies:
if ("%{client:nas_type}") {
update control {
nas_type := "%{client:nas_type}"
}
}
# Call PrivacyIDEA Perl module
perl-privacyidea
# Set Auth-Type if authentication is successful
if (ok || updated) {
update control {
Auth-Type := Perl
}
}
}
authenticate {
# Use Perl for authentication
Auth-Type Perl {
perl-privacyidea
}
}
post-auth {
# Apply privileges based on NAS-Type
if (&control:nas_type) {
if (&control:nas_type == “Switch”) {
update reply {
Cisco-AVPair := “shell:priv-lvl=15”
}
}
elsif (&control:nas_type == “APC”) {
update reply {
Service-Type := Administrative-User
}
}
listen {
type = auth
ipaddr = *
port = 0
}
}
Rinse and repeat each “post-auth” line for more device types using the “elsif” command.
In PI’s Webgui interface, create a new Authorization policy. Set the client IPs for whatever devices should match the policy. Click on the action tab and click the checkbox :add_user_in_response". Save the policy.
Run “freeradius -XC” to make sure all of your files have the proper syntax, spacing, etc.
Run “freeradius -X” and attempt an authentication. View the logs for any errors.