FreeRADIUS policy to restrict certain users trying to log on a specific device

freeradius

What I have:
freeradius 2.1.10 on debian, configured to use a database.

How it works now:
There are many devices on the network and users, the users log on devices to configure them and so on. The users can log on to anything. For example some devices (ciscos) the user account on radius comes along with privileges (cisco-avpair attribute) that restrict what that individual can and cannot do on cisco devices.

What I want freeradius to do in addition, for a specific special case:
There's a special device that only select users should be able to authenticate into. Everyone else should be just denied access. (so, more strict than the cisco example above).

What I think I should be doing is first define my own attribute for example company-special-privilege so that I can set that for some users in the database with a value of 0 or 1. Then define some policy in policy.conf.

What I'm asking:
Never done policies and I don't understand where they're applied in the rest of the freeradius config (where should I put my special_access policy).
Also unsure how to formulate it but the following pseudocode should represent what I want:

special_access {
    if (request to log in $special_device_ip) {
        if ($username company-special-privilege) {
            reject #
        }
    }
}

From the above I don't know how to get the device IP or the attribute that the user is set with. I'm not doing a == 1 on the attribute in the second condition in case the user doesn't have the attribute as I don't know what that would imply but any user that doesn't have 1 must be rejected.

Best Answer

You should put it in raddb/policy.conf inside the policy {} stanza. Then they can be referenced (by their name) as you would a normal module, in authorize, authenticate, post-auth etc...

Policies in FreeRADIUS are essentially macros, they're not functions, they don't take arguments.

Defining a special attribute to control policy decisions is fine, do it in raddb/dictionary unless you have an IANA number and want to spin your own custom dictionary. An easier way may just be to query SQL directly.

I'm not sure what you want to do specifically, but here's an example that may help... Modify as necessary

special_access {
    if ("%{Called-Station-ID}" == 'special device') {
        if ("%{sql:SELECT special_priv FROM table WHERE username = '%{User-Name}'}" != '1') {
            reject
        }
    }
}

Related Solutions

Samba – Write hash password to LDAP when creating a new user

Since you are using OpenLDAP, if you have a compatible hashed format (and here), you can enter the hash directly into the userPassword attribute. Take care that some LDAP clients may second-guess modifications to userPassword and apply hashing (similar to the way some LDAP servers automatically modify or hash this attribute when written). ldapadd/ldapmodify will correctly update the password without re-interpreting it (as long as you don't have a server password policy ppolicy_hash_cleartext in effect, which might complicate things).

You will need to determine the format you have, and prefix the hash or hash+salt format with type type, e.g. {SHA}xxxxxx or {SSHA}xxxxxx (where xxxxxx is a base64 encoded hash or hash+salt respectively).

If it's crypt format, you can enter it with a {crypt} prefix, but in the case of OpenLDAP you will need to have a build configured with --enable-crypt, since its use is deprecated. OpenLDAP will use the C library crypt() function, there can be platform specific variations in its output. On Linux there's a simple workaround, crypt() is in its own libcrypt library which you can "adjust" at compile- or run-time. (Also note crypt() is not re-entrant, so slapd uses a mutext to protect calls to it.) See also password-crypt-salt-format for solving the problem in the other direction: making OpenLDAP store passwords in various crypt formats.

Since you are using Samba, you should research also the smbk5pwd overlay (the README is more useful). Note though this requires password changes to use a proper password modify operation rather than direct modification of userPassword.

With OpenLDAP you also have the option of delegating password verification to an external system via SASL (also requires non-default build configuration), which may suffice during a migration window until all users reset their passwords. A further option (which often comes as a surprise), is that OpenLDAP also supports multiple passwords per-user, each of which is tried in turn during authentication. While slightly fragile (it requires all writers of the userPassword attribute to do The Right Thing), it can help with migration, especially when merging multiple systems.

Mysql – FreeRadius Accounting not working, bad passwords not cheked

Finally solved my issue, the problem was a tipo issue, I have in my database:

 160 | e6867740-7d07-4783-b210-5cc3accb44eb | ClearText-Password | := | pass

I wrote ClearText-Password with the T of "text" in capital letter.

The right way is Cleartext-Password with the t of "text" non capital letter.

Best Answer

Related Solutions

Samba – Write hash password to LDAP when creating a new user

Mysql – FreeRadius Accounting not working, bad passwords not cheked

Related Topic