Multi-tenant based on NAS IP
50 views
Skip to first unread message
Carter
Apr 6, 2024, 1:20:35 AMApr 6
to Event-Driven Servers
Hello, I'm trying to port a configuration from FreeRadius to tac_plus-ng. The FreeRadius server has several virtual servers that each have their own unique LDAP configurations. Each NAS request gets assigned to a virtual server based on the NAS IP/subnet. This is all done on the same listening port. I'm trying to find a way to replicate this behavior in tac_plus-ng.
To avoid misconfiguration on the NAS side influencing the "virtual server" selection, I would like to point all NAS devices to the same server IP/port.
I came up with a possible solution of configuring multiple realms with each listening on a different port, then using iptables to modify the destination port of incoming requests based on the source IP. I believe this is similar to what HAProxy would do. Whether I use iptables or HAProxy though, I believe this adds an additional layer of configuration: iptables/HAProxy would need to be configured separately from tac-plus_ng. This configuration would be rather fragile because I have to account for various one-off legacy equipment that needs to be pointed to a specific realm. I could write a script to generate the proxying configuration based on my tac-plus_ng devices configurations, but all this additional complexity leaves me wondering if there's a better solution.
Any help is much appreciated.
Carter
Marc Huber
Apr 6, 2024, 5:18:09 AMApr 6
to event-driv...@googlegroups.com
Hi Carter,
the latest commit adds a "target-realm" attribute to hosts to support
your use-case.
realm A { }
host ... { ... target-realm = A ... }
Cheers,
Marc
On 05.04.2024 19:33, Carter wrote:
> Hello, I'm trying to port a configuration from FreeRadius to
> tac_plus-ng. The FreeRadius server has several virtual servers
> <https://wiki.freeradius.org/config/Virtual-server> that each have
> --
> You received this message because you are subscribed to the Google
> Groups "Event-Driven Servers" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to event-driven-ser...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/event-driven-servers/58f5ab46-9690-4318-8160-a98afe2d998en%40googlegroups.com
> <https://groups.google.com/d/msgid/event-driven-servers/58f5ab46-9690-4318-8160-a98afe2d998en%40googlegroups.com?utm_medium=email&utm_source=footer>.
the latest commit adds a "target-realm" attribute to hosts to support
your use-case.
realm A { }
host ... { ... target-realm = A ... }
Cheers,
Marc
On 05.04.2024 19:33, Carter wrote:
> Hello, I'm trying to port a configuration from FreeRadius to
> tac_plus-ng. The FreeRadius server has several virtual servers
> You received this message because you are subscribed to the Google
> Groups "Event-Driven Servers" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to event-driven-ser...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/event-driven-servers/58f5ab46-9690-4318-8160-a98afe2d998en%40googlegroups.com
> <https://groups.google.com/d/msgid/event-driven-servers/58f5ab46-9690-4318-8160-a98afe2d998en%40googlegroups.com?utm_medium=email&utm_source=footer>.
Carter
Apr 8, 2024, 1:34:00 PMApr 8
to Event-Driven Servers
Marc,
Thanks for adding this so quickly. I'll test with my configuration and let you know if there are any issues.
Carter
Carter
Apr 11, 2024, 5:42:50 PMApr 11
to Event-Driven Servers
I wasn't able to get this to work. I'm able to log in to the NAS successfully, but the debug logs on the server don't show the name of my test realm or show my test rule being processed. There are no errors, it just looks like the realm isn't being changed from default. Here is my config. The NAS I'm logging into is defined as "testdevice".
id = spawnd {
background = no
# single process = yes
listen { address = 0.0.0.0 port = 49 }
spawn {
instances min = 1
instances max = 32
}
}
id = tac_plus-ng {
# debug = PACKET AUTHEN AUTHOR
debug = ALL -PACKET -HEX
# log mysyslog
log accesslog { destination = /tmp/tac_authentication.log }
log authorlog { destination = /tmp/tac_authorization.log }
log acctlog { destination = /tmp/tac_accounting.log }
access log = accesslog
authorization log = authorlog
accounting log = acctlog
# include = /home/tacplus/include/realms
# include = /home/tacplus/include/nets
mavis module = groups {
groups filter = /^(admins|guest|readonly)$/ # these are defined below
memberof filter = /^CN=tacacs_/ # use this as a prefix
}
mavis module = external {
setenv LDAP_SERVER_TYPE = "generic"
...
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
user backend = mavis
login backend = mavis
pap backend = mavis
net private {
net rfc1918 { address = 10.0.0.0/8,172.16.0.0/12 address = 192.168.0.0/16 }
net local { address = 127.0.0.1 }
}
device newworld {
address = ::/0
device world {
address = 0.0.0.0/0
# welcome banner = "Welcome\n"
enable 15 = clear secret
key = ...
device rfc {
address = 172.16.0.0/12
address = 10.0.0.1
# welcome banner = "Welcome, you're coming from ${client.address}\n"
}
# parent = rfc
}
}
device testdevice {
address = x.x.x.x/32
target-realm = testrealm
key = ...
}
profile engineering {
# enable 2 = permit
# enable 14 = clear demodemo
# enable 15 = login
script {
# if ("${cmd}" != "")
# message = "commandline=${cmd}"
if (service == shell) {
if (cmd == "") {
# shell startup
set priv-lvl = 15
permit
}
if (cmd =~ /^healthcheck.*/) {
permit
}
if (cmd =~ /^show cdp .+/) { message = "not now" deny }
# if (device == lab) deny
permit
}
# if (service == demo) {
# set test = too
# permit
# }
}
}
profile guest {
script {
if (service == shell) {
set priv-lvl = 1
permit
}
deny
}
}
group readonly {
}
group engineering {
}
user demo {
password login = clear demo
# password pap = login
member = engineering
}
user readonly {
password {
# pap = clear readonly
login = clear readonly
}
member = readonly
}
ruleset {
rule mainrule {
enabled = yes
script {
background = no
# single process = yes
listen { address = 0.0.0.0 port = 49 }
spawn {
instances min = 1
instances max = 32
}
}
id = tac_plus-ng {
# debug = PACKET AUTHEN AUTHOR
debug = ALL -PACKET -HEX
# log mysyslog
log accesslog { destination = /tmp/tac_authentication.log }
log authorlog { destination = /tmp/tac_authorization.log }
log acctlog { destination = /tmp/tac_accounting.log }
access log = accesslog
authorization log = authorlog
accounting log = acctlog
# include = /home/tacplus/include/realms
# include = /home/tacplus/include/nets
mavis module = groups {
groups filter = /^(admins|guest|readonly)$/ # these are defined below
memberof filter = /^CN=tacacs_/ # use this as a prefix
}
mavis module = external {
setenv LDAP_SERVER_TYPE = "generic"
...
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
user backend = mavis
login backend = mavis
pap backend = mavis
net private {
net rfc1918 { address = 10.0.0.0/8,172.16.0.0/12 address = 192.168.0.0/16 }
net local { address = 127.0.0.1 }
}
device newworld {
address = ::/0
device world {
address = 0.0.0.0/0
# welcome banner = "Welcome\n"
enable 15 = clear secret
key = ...
device rfc {
address = 172.16.0.0/12
address = 10.0.0.1
# welcome banner = "Welcome, you're coming from ${client.address}\n"
}
# parent = rfc
}
}
device testdevice {
address = x.x.x.x/32
target-realm = testrealm
key = ...
}
profile engineering {
# enable 2 = permit
# enable 14 = clear demodemo
# enable 15 = login
script {
# if ("${cmd}" != "")
# message = "commandline=${cmd}"
if (service == shell) {
if (cmd == "") {
# shell startup
set priv-lvl = 15
permit
}
if (cmd =~ /^healthcheck.*/) {
permit
}
if (cmd =~ /^show cdp .+/) { message = "not now" deny }
# if (device == lab) deny
permit
}
# if (service == demo) {
# set test = too
# permit
# }
}
}
profile guest {
script {
if (service == shell) {
set priv-lvl = 1
permit
}
deny
}
}
group readonly {
}
group engineering {
}
user demo {
password login = clear demo
# password pap = login
member = engineering
}
user readonly {
password {
# pap = clear readonly
login = clear readonly
}
member = readonly
}
ruleset {
rule mainrule {
enabled = yes
script {
if (device != testdevice) {
deny
}
deny
}
if (user != carter && user != demo) {
deny
}
if (member == engineering) {
profile = engineering
permit
}
if (member == readonly) {
profile = guest
permit
}
}
}
}
realm testrealm {
profile engineering2 {
script {
if (service == shell) {
if (cmd == "") {
# shell startup
set priv-lvl = 2
permit
}
if (cmd =~ /^healthcheck.*/) {
permit
}
permit
}
}
}
ruleset {
rule mainrule2 {
enabled = yes
script {
if (user != demo) {
deny
}
profile = engineering2
permit
}
}
}
}
}
deny
}
if (member == engineering) {
profile = engineering
permit
}
if (member == readonly) {
profile = guest
permit
}
}
}
}
realm testrealm {
profile engineering2 {
script {
if (service == shell) {
if (cmd == "") {
# shell startup
set priv-lvl = 2
permit
}
if (cmd =~ /^healthcheck.*/) {
permit
}
permit
}
}
}
ruleset {
rule mainrule2 {
enabled = yes
script {
if (user != demo) {
deny
}
profile = engineering2
permit
}
}
}
}
}
Marc Huber
Apr 12, 2024, 9:29:43 AMApr 12
to event-driv...@googlegroups.com
Hi Carter,
the code currently doesn't support implicit realm definitions. Try
adding a line with
realm testrealm
before
device testdevice
I'll add a check that lets the daemon error out if a non-existing realm
is refered to.
Cheers,
Marc
the code currently doesn't support implicit realm definitions. Try
adding a line with
realm testrealm
before
device testdevice
I'll add a check that lets the daemon error out if a non-existing realm
is refered to.
Cheers,
Marc
Carter
Apr 15, 2024, 10:24:30 AMApr 15
to Event-Driven Servers
Marc,
That seems to work, thanks again.
Reply all
Reply to author
Forward
0 new messages