Possible? Same client with separate secrets for service separatio n?

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

Possible? Same client with separate secrets for service separatio n?

Burrill, Jim
We have a large number of users in an ldap database and we have successfully
connected freeradius with it.  We have also been able to connect a specific
client ip address to a specific LDAP group to allow or disallow access to a
specific device based on group membership.   What we have found is that in
the case of PIX it tends to be all or nothing.  If one can authenticate thru
the firewall for vpn purposes, they can also authenticate by ssh for admin
purposes.  Is it possible to configure a cisco Pix with separate radius
definitions and auth against Freeradius using separate secrets so you can
separate to specific groups?  We've attempted it and it seems to find the
first client on the list and ignores the second.  Any Ideas?  

The PIX unfortunalty does not give any indication of type of connection thru
NAS-Port (on pix this is just a session number).   Only hope of separation
it appears is thru calling-station-id, but that appears to be a real messy
way.

Below is a sample of what we've be attempting to do.

Thanks for any assistance!


Cisco Pix 6.3 Firewall

------------------
Pertinent pix configuration items
------------------
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.1.10 secret1 timeout 10

aaa-server RADIUSVPN protocol radius
aaa-server RADIUSVPN (inside) host 192.168.1.10  secret2 timeout 10

aaa authentication ssh console RADIUS LOCAL

crypto map outside_map client authentication RADIUSVPN


------------------
clients.conf
------------------
client 192.168.1.20 {
        secret          =  secret1
        shortname       =  pixssh
        nastype         = Cisco
}

client 192.168.1.20 {
        secret          =  secret2
        shortname       =  pixvpn
        nastype         = Cisco
}



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Possible? Same client with separate secrets for service separatio n?

Alan DeKok
"Burrill, Jim" <[hidden email]> wrote:
> Is it possible to configure a cisco Pix with separate radius
> definitions and auth against Freeradius using separate secrets so you can
> separate to specific groups?

  That would be up to the PIX.

> We've attempted it and it seems to find the
> first client on the list and ignores the second.  Any Ideas?  

  Listing two "clients" entries in FreeRADIUS won't work.  A short way
to get around it is to run two radius servers on the same machine, one
one port X (for VPN), and one on port Y (for admin access).  They can
each have different shared secrets for the PIX, and different
databases.

  As of yesterday, the current CVS head supports per-socket lists of
clients.  So you can run one server, have it listen on two ports, and
have different shared secrets for a client on each port.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html