Dear Cornelinux
My company had multi project. And i setting [each user —match—just 1 TOTP] to login (ssh linux/ basic authen web …)
My case : i want limit:
I test some policy but not fine. Can you sugest me how limit access this case?
Hello tuangduong,
great that you are back and happy to hear that privacyIDEA seems to work out for you pretty well and you are using it for interesting scenarios.
You can define policies based on the client IPs as they are seen by privacyIDEA.
Usually privacyIDEA will see the RADIUS plugin as the client IP. To avoid this, you can use override the client IP settings in privacyIDEA. Thus the RADIUS plugin will forward the RADIUS client’s IP to the privacyIDEA server.
But as you specify you “projects” in a a 192.168.0/24 subnet and have your privacyIDEA server in a 10.0.0.0/24 subnet, you might have some NATing in between, which would lead to you loosing the client IP addresses. But still, using the override mechanism should also work with NAT.
My company provides consulting for more sophisticated setups.
Kind regards
Cornelius
Thanks for response.
I read logs and understand about IP with NAT. Easest is server PrivacyIDEA same subnet with server Project.
Sorry if I haven’t read Document carefully, I can’t find policy “Deny” to attach special IP.
So current, I temporary setting policy bellow: (Scope: Authentication)
__Priority 1: Action { “otppin”: “userstore” } , IP_Project A, User 1/2
__Priority 2: Action { “otppin”: “userstore” } , IP_Project B, User 2
__Priority 3: Action { “otppin”: “userstore” } , IP_Project C, User 1/2
__Priority 4: Action { “otppin”: “userstore” } , IP_Project D, User 3/4/5…
__ …n
__ …n
__ …n
__ Priority Last: Action { “otppin”: “tokenpin” }, Remain IP, All User.
And only me know {tokenpin}. {userstore} get from AD_Server.
Kind regards
You are right. There is no “Deny” policy. The policies in privacyIDEA work different from firewall policies.
You need to define conditions (like the allowed tokentypes) that match for this certain IP.