I am a newbie to FreeRadius, so my knowledge is not in-depth. I am trying to configure a central radius to handle any network based systems (switches, routers, firewalls, & VPN) to authenticate end-users when they are trying to SSH and/or VPN into the system. All of my equipment supports radius.
Environment:
Reference: I followed this page to get the majority of the system operational (SSLVPN Two - Factor Authentication with Google Authenticator
What is working:
Next Steps (the question): I want to be able to ultimately decide if the end-user is granted access to VPN or switch via AD security groups. So from my understanding, I could perform this within the auth module or the post-auth. I believe the correct place would be in the post-auth possible using unlang (but correct me if this is not the general area to do this). I don't know how/where I need to perform the LDAP lookup to get the user-name AD security group info. In theory, once I have the user's name & group info, these can be used in multiple filters to declare if they get access to a group of systems. Thanks
So I figured out how to accomplish what I was trying to do.
Configure /etc/raddb/clients.conf
Add the option under each client of virtual_server = custom_vs01
Duplicate (copy do not rename) /etc/raddb/sites-available/default to /etc/raddb/sites-available/custom_vs01
Edit custom_vs01. Change the server block to match the file. orig: server default { new: server custom_vs01 {
Change the port for the AUTH and ACCT to an actual port (E.g. 511812 & 511813)
In the post-auth section; add unlang to look for LDAP group So basically if the authenticated user is not part of either of the AD groups, then we update the control and reject them from access
post-auth {
update {
&reply: += &session-state:
}
-sql
exec
remove_reply_message_if_eap
# Custom post-auth policies
if (LDAP-Group == "AD_Group_SystemAdmins") {
update reply {
Class := "AD_Group_SystemAdmins"
}
}
elsif (LDAP-Group == "AD_Group_SystemUsers") {
update reply {
Class := "AD_Group_SystemUsers"
}
}
else {
update reply {
Reply-Message = "Not authorized to access this system"
}
update control {
Auth-Type := "Reject"
}
}