Leighton Man <l.j....@hud.ac.uk> wrote: > > I would like to group NASs by ip address but as I have a few hundred, > I don't want to maintain a list. > > Can I configure ip address ranges in huntgroups eg. Group1 > NAS-IP-Address == 192.168.1.101 - 105 If not, can I use regular > expressions? > > How else can I do this? What is the best way? > I used to use huntgroups to do this, however recently discovered in the mailing list archives that the clients.conf file can be used to better effect with grouping: ---- client 2.3.4.0/24 { shortname = switch secret = blar } client 3.4.5.0/24 { shortname = switch secret = hoot
vendor = allied-telesis } client 1.2.3.0/28 { shortname = console secret = honk } ---- Then in your virtual server you can use something like: ---- authorize { .... update request { # NAS-Vendor is a local custom dict addition NAS-Vendor := "%{client:vendor}" NAS-Identifier := "%{client:shortname}" } .... files .... } ---- Your 'users' file then has: ---- DEFAULT NAS-Identifier == switch, NAS-Vendor == allied-telesis, LDAP-Group == netref Service-Type = Administrative-User DEFAULT NAS-Identifier == switch, LDAP-Group == netref Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:priv-lvl=15" DEFAULT NAS-Identifier == switch, Auth-Type := Reject ---- You can actually add *anything* to the client subsections ('shortname' and 'secret' are the only FreeRADIUS variables in there, the 'vendor' bit is not known to FreeRADIUS) and FreeRADIUS will simply ignore it but it is accessible via '%{client:NAME}'. The advantage with this approach is that you are doing the NAS grouping in the clients.conf file rather than potentially duplicating it in the 'hints' and/or huntgroups file. Cheers -- Alexander Clouter .sigmonster says: Your boyfriend takes chocolate from strangers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html