Limit authentication multi server


Dear Cornelinux

My company had multi project. And i setting [each user —match—just 1 TOTP] to login (ssh linux/ basic authen web …)

My case : i want limit:

  • User_1 only authenticaion passthrought server Project A + server Project C
  • User_2 only authenticaion passthrought server Project A + B +C
    If user A use OTP to authen with server Project B + D. Authen will fail.

I test some policy but not fine. Can you sugest me how limit access this case?

Hello tuangduong,
great that you are back and happy to hear that privacyIDEA seems to work out for you pretty well and you are using it for interesting scenarios.

You can define policies based on the client IPs as they are seen by privacyIDEA.
Usually privacyIDEA will see the RADIUS plugin as the client IP. To avoid this, you can use override the client IP settings in privacyIDEA. Thus the RADIUS plugin will forward the RADIUS client’s IP to the privacyIDEA server.

But as you specify you “projects” in a a 192.168.0/24 subnet and have your privacyIDEA server in a subnet, you might have some NATing in between, which would lead to you loosing the client IP addresses. But still, using the override mechanism should also work with NAT.

My company provides consulting for more sophisticated setups.
Kind regards

Thanks for response.
I read logs and understand about IP with NAT. Easest is server PrivacyIDEA same subnet with server Project.
Sorry if I haven’t read Document carefully, I can’t find policy “Deny” to attach special IP.

So current, I temporary setting policy bellow: (Scope: Authentication)
__Priority 1: Action { “otppin”: “userstore” } , IP_Project A, User 1/2
__Priority 2: Action { “otppin”: “userstore” } , IP_Project B, User 2
__Priority 3: Action { “otppin”: “userstore” } , IP_Project C, User 1/2
__Priority 4: Action { “otppin”: “userstore” } , IP_Project D, User 3/4/5…
__ …n
__ …n
__ …n
__ Priority Last: Action { “otppin”: “tokenpin” }, Remain IP, All User.
And only me know {tokenpin}. {userstore} get from AD_Server.

Kind regards

You are right. There is no “Deny” policy. The policies in privacyIDEA work different from firewall policies.

You need to define conditions (like the allowed tokentypes) that match for this certain IP.

1 Like