Leighton Man <l.j....@hud.ac.uk> wrote:
>
> I would like to group NASs by ip address but as I have a few hundred,
> I don't want to maintain a list.
>
> Can I configure ip address ranges in huntgroups eg. Group1
> NAS-IP-Address == 192.168.1.101 - 105 If not, can I use regular
> expressions?
>
> How else can I do this? What is the best way?
>
I used to use huntgroups to do this, however recently discovered in the
mailing list archives that the clients.conf file can be used to better
effect with grouping:
----
client 2.3.4.0/24 {
shortname = switch
secret = blar
}
client 3.4.5.0/24 {
shortname = switch
secret = hoot
vendor = allied-telesis
}
client 1.2.3.0/28 {
shortname = console
secret = honk
}
----
Then in your virtual server you can use something like:
----
authorize {
....
update request {
# NAS-Vendor is a local custom dict addition
NAS-Vendor := "%{client:vendor}"
NAS-Identifier := "%{client:shortname}"
}
....
files
....
}
----
Your 'users' file then has:
----
DEFAULT NAS-Identifier == switch, NAS-Vendor == allied-telesis, LDAP-Group ==
netref
Service-Type = Administrative-User
DEFAULT NAS-Identifier == switch, LDAP-Group == netref
Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:priv-lvl=15"
DEFAULT NAS-Identifier == switch, Auth-Type := Reject
----
You can actually add *anything* to the client subsections ('shortname'
and 'secret' are the only FreeRADIUS variables in there, the 'vendor'
bit is not known to FreeRADIUS) and FreeRADIUS will simply ignore it but
it is accessible via '%{client:NAME}'.
The advantage with this approach is that you are doing the NAS grouping
in the clients.conf file rather than potentially duplicating it in the
'hints' and/or huntgroups file.
Cheers
--
Alexander Clouter
.sigmonster says: Your boyfriend takes chocolate from strangers.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
