FreeRADIUS Post Authentication

FreeRADIUS Post Authentication

I recently performed a migration from NPS on Server 2008 over to RedHat Linux running FreeRADIUS. We mostly use this for Cisco device authentication, but it could easily be extended to WiFi or other application needs.

LDAP authentication against Active Directory is pretty well documented so I won’t go into that unless there is an interest. However, I did want to talk about post-auth.

I found a basic example at Flaz.net where the author uses LDAP groups to update the cisco-avpair reply. I personally had trouble finding good documentation on more advanced post-auth options.

The example below shows some of the more advance options I was able to come up with after a bit of trial and error.

post-auth {
### Cisco Auth ###
  if (client-shortname == "office" && User-Name == "bliss") {
    update reply {
      cisco-avpair = "clientusername-test"
    }
  }  
  elsif (client-shortname == "office") {
    update reply {
      cisco-avpair = "client-test"
    }
  }
  elsif (User-Name == "bliss") {
    update reply {
      cisco-avpair = "username-test"
                }
        }
  elsif (LDAP-Group == "admins") {
    update reply {
      cisco-avpair = "shell:priv-lvl=15",
    }
  }
  elsif (LDAP-Group == "ops") {
    update reply {
      cisco-avpair = "shell:priv-lvl=1",
    }
  }
  else {
    reject
  }

Since this code uses if statements it will run from top to bottom and accept the first match.

In the first option I strung together “client-shortname” which is setup under the clients.conf with my username to send back clientusername-test.

The additional elsif statements are just an example of ordering importance.

Radtest is the best tool for making sure the proper responses are coming back.

Cisco Prime authentication requires sending additional cisco-avpair attributes. The example below is what I was able to get working for me.

post-auth {
### Cisco Auth ###
  if (LDAP-Group == "network") {
    reply_log
    update reply {
      cisco-avpair = "shell:priv-lvl=15",
      cisco-avpair += "NCS:role0=Admin", 
      cisco-avpair += "NCS:virtual-domain0=ROOT-DOMAIN"
    }
  }
  elsif (LDAP-Group == "support") {
    reply_log
    update reply {
      cisco-avpair = "NCS:role0=User Defined 1", 
      cisco-avpair += "NCS:virtual-domain0=ROOT-DOMAIN"
    }
  }
  elsif (LDAP-Group == "security") {
    reply_log
    update reply {
      cisco-avpair = "NCS:role0=User Defined 2", 
      cisco-avpair += "NCS:virtual-domain0=ROOT-DOMAIN"
    }
  }
  else {
    reject
  }

The only trick here was properly formatting everything. Authentication against Prime did not work when I tried to send role0 and virtual-domain0 inside the same attribute.

Let me know if this is helpful to you or if I can go into anymore details. This is just what is working in my environment. Your usage may vary.

Leave a Reply

Your email address will not be published. Required fields are marked *