I need to assign different RADIUS return attributes for a set of users based on what the user is attempting to authenticate to. I’m using an SQL resolver and have created custom user attributes and assigned them to the user, E.G., APC, Cisco, Arista. I have already configured Authorization policies in PI and distinguished Client IPs per policy.
As an example, I have a user, jdoe, that needs privilege 15 access to all Cisco devices(radius return should be ‘priv-lvl=15’) but that same user should be able to login to APC UPS network management cards with ‘Admin’ privileges and Arista switches with priv 15(‘shell:priv-lvl=15’).
What I’m noticing is my rlm_perl.ini config is sending all responses to users for all configurations I have set(cisco priv 15, APC Admin, Arista priv 15). I only want a return response based on what that user is trying to access(cisco switch vs arista switch vs APC etc). Anyone have any insight if this is possible? Thanks.
I need to be able to have the rlm_perl.ini file send RADIUS responses based on specific device logins, E.G, user jdoe should have “priv-lvl=15” ONLY when logging into Cisco switches. That same user should get RADIUS response “Administrative-User” ONLY when logging into APC UPS network cards.
I’m not a software engineer so I really don’t know if I need to modify the privacyidea_radius.pm file to make this work but what I’m seeing is all RADIUS responses I have set in the ini file are being sent to the user jdoe regardless of what the user is logging into. This presents problems with say vpn since some of these attributes are invalid for a vpn response. Any help is welcomed. Thanks.
Hi,
we had a similar requirement. I solved it with custom clients, pre- and post-auth scripts.
I changed the clients.conf and added $INCLUDE /etc/freeradius/3.0/clients/
and in sites-enabled/privacyidea: