Any way to set device group in clients.conf?

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

Any way to set device group in clients.conf?

Mike Ely
We're authenticating our users via AD using a combination of
clients.conf and then a perl script in post-auth. This works fine with
the exception that the device has to be defined in both clients.conf and
the perl script. To avoid the possibility of mistakes I'm trying to
remove this duplication if at all possible. After scouring the official
documentation all afternoon as well as looking at external sources I'm
nowhere closer to knowing how to do this than before.

Ideally I'd like to do something like this:

client router-a {
        ipaddr = 1.2.3.4
        secret = topsecret
        deviceclass = NOC_only
}

client IPMI-a {
        ipaddr = 2.3.4.5
        secret = moresecret
        deviceclass = OPS_only
}

client VPM-a {
        ipaddr = 3.4.5.6
        secret = mostsecret
        deviceclass = NOC_OPS
}

I'm not attached to "deviceclass" in any literal sense, just using it as
an example of what I'm trying to accomplish. Ideally then the perl
script could do what it normally does, which is to examine the
authenticated request and authorize if the authenticated user is a
member of the requisite group, only it's looking up the device's type
from the original request rather than having to maintain a separate
array of IP addresses which can get out of sync from clients.conf.

One thing I had considered was adding the bogus deviceclass attribute in
clients.conf and just having the perl script read that out of the file,
but then I ran into a stopper: among the many unforgivable bugs the
Supermicro IPMI has in its radius stack is that it _always_ passes
127.0.0.1 as its NAS-IP-Address in the radius request:

(0) perl: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} ->
'127.0.0.1'

Thus the perl script assumes that any request coming in with that
attribute pair is an IPMI:

my @ipmi = '127.0.0.1';

Please forgive this digression, but I felt it useful to explain the sort
of Catch-22 situation that I'm in with these IPMI devices. Any help
figuring out how to get a device type set from clients.conf would be
very welcome.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Any way to set device group in clients.conf?

Alan DeKok-2
On Aug 8, 2019, at 8:00 PM, Mike Ely <[hidden email]> wrote:

>
> We're authenticating our users via AD using a combination of
> clients.conf and then a perl script in post-auth. This works fine with
> the exception that the device has to be defined in both clients.conf and
> the perl script. To avoid the possibility of mistakes I'm trying to
> remove this duplication if at all possible. After scouring the official
> documentation all afternoon as well as looking at external sources I'm
> nowhere closer to knowing how to do this than before.
>
> Ideally I'd like to do something like this:
>
> client router-a {
> ipaddr = 1.2.3.4
> secret = topsecret
> deviceclass = NOC_only
> }

  You can do that.  A small secret is that the configuration files are a key-value store.  You can put pretty much anything you want in there, so long as the data follows the standard format.

> I'm not attached to "deviceclass" in any literal sense, just using it as
> an example of what I'm trying to accomplish. Ideally then the perl
> script could do what it normally does, which is to examine the
> authenticated request and authorize if the authenticated user is a
> member of the requisite group, only it's looking up the device's type
> from the original request rather than having to maintain a separate
> array of IP addresses which can get out of sync from clients.conf.

  You can use %{client:deviceclass} to get the deviceclass field from the configuration files.

  To use that in Perl, you will have to copy the value into an attribute.  Perl can't call the %{...} expansions, unfortunately.

> One thing I had considered was adding the bogus deviceclass attribute in
> clients.conf and just having the perl script read that out of the file,
> but then I ran into a stopper: among the many unforgivable bugs the
> Supermicro IPMI has in its radius stack is that it _always_ passes
> 127.0.0.1 as its NAS-IP-Address in the radius request:
>
> (0) perl: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} ->
> '127.0.0.1'

  Yeah.  That's why we don't trust NAS-IP-Address.  It can be anything.

> Thus the perl script assumes that any request coming in with that
> attribute pair is an IPMI:
>
> my @ipmi = '127.0.0.1';

  Look at Packet-Src-IP-Address to see which IP the packet came from.  Or, do:

        update request {
                Tmp-String-0 := "%{client:deviceclass}"
        }
        perl

  and then access Tmp-String-0 in the Perl module.  Which will contain the device class.

> Please forgive this digression, but I felt it useful to explain the sort
> of Catch-22 situation that I'm in with these IPMI devices. Any help
> figuring out how to get a device type set from clients.conf would be
> very welcome.
 
  You've got 70% of it already.  Just 3 lines of extra glue is all you need.

  Alan DeKok.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html