Nas-Port-Id as username.

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

Nas-Port-Id as username.

Xbert_badstuber
We are using the Cisco ACS 5.3 as a RADIUS for database authentication and authorization. The purpose is to authenticate incoming users based on the NAS-PORT-ID. The problem is that we cannot find any solution for the Service Router (Alcatel 7750) to send the NAS-PORT-ID to act as USERNAME. The username field is set to the MAC address.

The ACS requires a USERNAME and there is not a way to manipulate the User-Name value once it is received.  
We heard that it could be possible to use the freeradius to act as a proxy for the Cisco secure ACS.

This is what we want:

User --> [SR] --> User-Name = “MAC:xx.xx.xx.xx” Password = “secret” NAS-Port-Id = 1/1/4.1001.129 --> [FR] --> User-Name = “1/1/4.1001.129” Password = “secret” --> [ACS 5.3]

Is there a solution for this option in the Freeradius?

Is there a way to manipulate the User-Name sent from the service router, (MAC address), and change it to its NAS-Port-Id before it reaches the ACS RADIUS with help from the freeradius acting as a proxy?
| Threaded
Open this post in threaded view
|

Re: Nas-Port-Id as username.

Alan DeKok-2
Xbert_badstuber wrote:
> The ACS requires a USERNAME and there is not a way to manipulate the
> User-Name value once it is received.  

  Ugh.  Use a real RADIUS server. :)

> We heard that it could be possible to use the freeradius to act as a proxy
> for the Cisco secure ACS.
>
> This is what we want:
>
> User --> [SR] --> User-Name = “MAC:xx.xx.xx.xx” Password = “secret”
> NAS-Port-Id = 1/1/4.1001.129 --> [FR] --> User-Name = “1/1/4.1001.129”
> Password = “secret” --> [ACS 5.3]
>
> Is there a solution for this option in the Freeradius?

  Yes.  "man unlang".  You can update any attribute to have any value.

> Is there a way to manipulate the User-Name sent from the service router,
> (MAC address), and change it to its NAS-Port-Id before it reaches the ACS
> RADIUS with help from the freeradius acting as a proxy?

authorize {
        ...
        update request {
                User-Name := "%{NAS-Port-Id}"
        }
        ...
}

  This kind of thing is trivial to do in FreeRADIUS.  Perhaps that's why
it's free... because it works.  You have to pay large amounts of money
to get products that don't do what you want.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Nas-Port-Id as username.

Xbert_badstuber
It works perfectly, thanks alot Alan for the fast and useful answer.