Limiting Access based on Calling-Station-Id / Tunnel-Client-Endpoint
370 views
Skip to first unread message
f.ba...@portrix-systems.de
Feb 25, 2014, 3:07:43 AM2/25/14
to rcdevs-t...@googlegroups.com
Hey there,
We are using OpenOTP with Radius Bridge connected to our Windows AD and provide VPN login with tokens on our Cisco ASAs to our users. That all works very well so far.
One thing that I would like to have is some users should only be allowed to connect from a specific IP. The ASA sends the IP address in the Radius requests two times once as "Calling Station Attribute (31)" and once as "Tunnel Client End Attribute (66)". But I can't figure out how to limit access based on that.
Maybe someone can push me in the right direction?
Kind regards,
Florian
We are using OpenOTP with Radius Bridge connected to our Windows AD and provide VPN login with tokens on our Cisco ASAs to our users. That all works very well so far.
One thing that I would like to have is some users should only be allowed to connect from a specific IP. The ASA sends the IP address in the Radius requests two times once as "Calling Station Attribute (31)" and once as "Tunnel Client End Attribute (66)". But I can't figure out how to limit access based on that.
Maybe someone can push me in the right direction?
Kind regards,
Florian
Administrators
Feb 25, 2014, 4:25:57 AM2/25/14
to rcdevs-t...@googlegroups.com
In fact you can achieve this with a WebADM client policy.
Let's say your vPN provides the user IP with "Calling-Station-Id" (Attribute 31).
Then
1) in /opt/radiusd/conf/openotp.conf set source_attribute = "Calling-Station-Id"
Then RadiusBridge will forward the client IP read from the Calling-Station-Id attribute to OpenOTP.
2) In Cisco ASA, set a NAS Identifier for the RADIUS VPN client (ex. MyVPN).
3) In WebADM do Create -> "WebADM Client Policy".
Set MyVPN as common name for the client Policy object.
Edit the policy object's settings and set the "Allowed Addresses" to the IP addresses / netmasks which you allow.
f.ba...@portrix-systems.de
Feb 25, 2014, 7:36:31 AM2/25/14
to rcdevs-t...@googlegroups.com
Hey,
Thank you for your fast reply.
Unfortunately "Calling-Station-Id" and "Tunnel-Client-Endpoint" don't seem to work as source_attribute. If I enable it I do see a source IP in OpenOTP but it is not the one which is actually connecting. I believe it got something to do with this: "Attribute must be of type IPAddr.". Both attributes are not of type IPAddr but of type String. Any chance to use them anyway?
Actually the ASA sends out a third attribute containing the IP:
But Cisco-AVPair is a string too (and an even more ugly one due to the "ip:source-ip=").
Kind regards,
Florian
Thank you for your fast reply.
Unfortunately "Calling-Station-Id" and "Tunnel-Client-Endpoint" don't seem to work as source_attribute. If I enable it I do see a source IP in OpenOTP but it is not the one which is actually connecting. I believe it got something to do with this: "Attribute must be of type IPAddr.". Both attributes are not of type IPAddr but of type String. Any chance to use them anyway?
Actually the ASA sends out a third attribute containing the IP:
Vendor Specific Attribute (26), length: 33, Value: Vendor: Cisco (9)
Vendor Attribute: 1, Length: 25, Value: ip:source-ip=192.168.0.42
But Cisco-AVPair is a string too (and an even more ugly one due to the "ip:source-ip=").
Kind regards,
Florian
Administrators
Feb 25, 2014, 8:22:55 AM2/25/14
to rcdevs-t...@googlegroups.com
In fact it's very good idea.
Check this one : http://www.rcdevs.com/downloads/download.php?type=1&id=Testing%2Fradiusd-1.1.0-6.sh.gz
source_attribute supports both IPAddr and String RADIUS dictionary attributes.
f.ba...@portrix-systems.de
Feb 25, 2014, 8:42:56 AM2/25/14
to rcdevs-t...@googlegroups.com
Woohoo...now source_attribute works fine :) Then I can try the policy thing now.
Thank you very much.
Florian
Thank you very much.
Florian
f.ba...@portrix-systems.de
Feb 25, 2014, 9:52:14 AM2/25/14
to rcdevs-t...@googlegroups.com
With the now fixed source_attribute this does work. Actually I didn't found a possibility to set the NAS Identifier in the ASA, but you can just use the IP address as Client Policy name instead, which does work fine.
But it does not quite do what I need. I would like to enforce this policy only on specific users and/or groups, not on the whole ASA.
Is there maybe a way to switch the 'User Access Settings' logic from AND to OR? That way I could define "You have either to be in that group OR come from that address.". Or a way to bind a policy to a group?
But it does not quite do what I need. I would like to enforce this policy only on specific users and/or groups, not on the whole ASA.
Is there maybe a way to switch the 'User Access Settings' logic from AND to OR? That way I could define "You have either to be in that group OR come from that address.". Or a way to bind a policy to a group?
Kind regards,
Florian
On Tuesday, February 25, 2014 10:25:57 AM UTC+1, Administrators wrote:
Administrators
Feb 25, 2014, 12:02:07 PM2/25/14
to rcdevs-t...@googlegroups.com
You can play with the allowed and denied things in the client policy.
Also look at the OpenOTP ReplyData too (detailed in RadiusBridge Manual).
With it, you can pass for ex. user roles and per-user attributes to the ASA to let ASA enforce rule-based policy...
Reply all
Reply to author
Forward
0 new messages