Help with assigning RADIUS return attributes

Hello,

I need to assign different RADIUS return attributes for a set of users based on what the user is attempting to authenticate to. I’m using an SQL resolver and have created custom user attributes and assigned them to the user, E.G., APC, Cisco, Arista. I have already configured Authorization policies in PI and distinguished Client IPs per policy.

As an example, I have a user, jdoe, that needs privilege 15 access to all Cisco devices(radius return should be ‘priv-lvl=15’) but that same user should be able to login to APC UPS network management cards with ‘Admin’ privileges and Arista switches with priv 15(‘shell:priv-lvl=15’).

What I’m noticing is my rlm_perl.ini config is sending all responses to users for all configurations I have set(cisco priv 15, APC Admin, Arista priv 15). I only want a return response based on what that user is trying to access(cisco switch vs arista switch vs APC etc). Anyone have any insight if this is possible? Thanks.

Joe

Update for clarity:

I need to be able to have the rlm_perl.ini file send RADIUS responses based on specific device logins, E.G, user jdoe should have “priv-lvl=15” ONLY when logging into Cisco switches. That same user should get RADIUS response “Administrative-User” ONLY when logging into APC UPS network cards.

I’m not a software engineer so I really don’t know if I need to modify the privacyidea_radius.pm file to make this work but what I’m seeing is all RADIUS responses I have set in the ini file are being sent to the user jdoe regardless of what the user is logging into. This presents problems with say vpn since some of these attributes are invalid for a vpn response. Any help is welcomed. Thanks.

Hi,
we had a similar requirement. I solved it with custom clients, pre- and post-auth scripts.
I changed the clients.conf and added $INCLUDE /etc/freeradius/3.0/clients/
and in sites-enabled/privacyidea:

server {
authorize {

$INCLUDE /etc/freeradius/3.0/site-configs/authorize/

}

post-auth {
$INCLUDE /etc/freeradius/3.0/site-configs/post-auth/
}
}

and in the .conf files in post-auth something like

if ( &client-shortname == “APC” ) {
update reply {
&RADIUS-Attribute := some-needed-value
}
}

best regards
Andreas

Thanks for the reply. I appreciate the help and suggestions. Do I need to modify the rlm_perl.ini file or should this be left at defaults?

I only changed the mapping in rlm_perl.ini for return-values from pi to put them into radius-attributes.

[Mapping]
#serial = privacyIDEA-Serial
user-resolver = Fortinet-Group-Name

[Mapping user]
#returns Group1, Group2 properties from SQL-Resolver to response
Group1 = Fortinet-Group-Name
Group2 = Fortinet-Group-Name

To anyone looking to find a solution to my original post, I was able to figure it out through TONS of blood, sweat, and tears. See the following:

  • I wanted to send RADIUS replies based on a device type(Switch, router, firewall, etc). To do this, you MUST modify the freeradius dictionary to declare the “nast_type” attribute:

nano /etc/freeradius/3.0/dictionary:

ATTRIBUTE nas_type 3001 string

  • Then, you need to set the “nas_type” for each of your RADIUS clients:

nano /etc/freeradius/3.0/clients.conf:

client x.x.x.x {
secret = password
shortname = Switch1
nas_type = Switch
}
(rinse and repeat as necessary)

  • Then, you need to modify /etc/freeradius/3.0/sites-enabled/privacyidea to set the attributes and replies:

nano /etc/freeradius/3.0/sites-enabled/privacyidea:

server privacyidea {
authorize {
preprocess
files

Assign NAS-Type from clients.conf

    if ("%{client:nas_type}") {
        update control {
            nas_type := "%{client:nas_type}"
        }
    }
   # Call PrivacyIDEA Perl module
    perl-privacyidea

    # Set Auth-Type if authentication is successful
    if (ok || updated) {
        update control {
            Auth-Type := Perl
        }
    }
}

authenticate {
    # Use Perl for authentication
    Auth-Type Perl {
        perl-privacyidea
    }
}

post-auth {
# Apply privileges based on NAS-Type
if (&control:nas_type) {
if (&control:nas_type == “Switch”) {
update reply {
Cisco-AVPair := “shell:priv-lvl=15”
}
}
elsif (&control:nas_type == “APC”) {
update reply {
Service-Type := Administrative-User
}
}

listen {
    type = auth
    ipaddr = *
    port = 0
}

}

Rinse and repeat each “post-auth” line for more device types using the “elsif” command.

  • In PI’s Webgui interface, create a new Authorization policy. Set the client IPs for whatever devices should match the policy. Click on the action tab and click the checkbox :add_user_in_response". Save the policy.

  • Run “freeradius -XC” to make sure all of your files have the proper syntax, spacing, etc.

  • Run “freeradius -X” and attempt an authentication. View the logs for any errors.

Thank you. You got me down the right path but I had to navigate my own way after that to get me to a working state. I appreciate the help!