Hi Alan ,
[EMAIL PROTECTED] wrote:
> Basavaraj Bendigeri <[EMAIL PROTECTED]> wrote:
>
>>I have one more question . This is regarding huntgroups . I assume
>>huntgroups is for restricting users to certain groups , right ?
>>
>
> No. Read the comments at the top of the huntgroups file.
>
I think I am phrasing the question incorrectly . Let me explain my
question in detail, assume I have 2 NASs in my network , say NAS1 and
NAS2 . Both send access requests to a radius server in the network . Say
I have some users "A" , "B" , "C" ,"X" , "Y" and "Z" . I want users "A",
"B", "C" to login to NAS1 and users "X","Y", and "Z" to login to NAS2 only .
NAS1 => A , B , C
NAS2 => X , Y ,Z
Obviously now NAS1 will send the access requests for "A" , "B" and "C"
The radius server should authenticate the users succesfully , ie it
should respond with a access accept .The same should happen
for users "X" , "Y" and "Z" . But in case "A" or "B" or "C" tries to login to NAS2 ,
radius should not allow it . Similarly if "X" , "Y" or "Z" tries to login to NAS1 ,
radius should not allow it in this case either. In both these cases
radius should respond with a access reject .
I want to implement this with radius and openldap as backend . Obviously
one way I can think of doing is by using the users and huntgroups files
and I did implement it that way . Let me explain as to how I did it .
The users file contained the following directives :
DEFAULT Auth-Type := LDAP, Huntgroup-Name == "localhost"
Fall-Through = 1
DEFAULT Auth-Type := LDAP, Huntgroup-Name == "test1"
Fall-Through = No
and no other directives .
The huntgroups file contained the following directives :
localhost NAS-IP-Address == 127.0.0.1
User-Name == basavaraj
test1 NAS-IP-Address == 64.104.131.182
User-Name == guest
The radiusd.conf file contained the following directives for authorize
module :
authorize {
preprocess
suffix
files
ldap
}
So when a access request comes comes in from NAS 64.104.131.182 for user
"guest" the radius server responds with access accept and the same
happens with user "basavaraj" when the request comes in from NAS
127.0.0.1 . But if the request for "basavaraj" comes from NAS
64.104.131.182 , the radius server responds with access reject . The
same happens for "guest" from NAS "127.0.0.1" .This solution satisfies
my requirement . However, I want to know if this is the correct way of
doing it ?
Thanks in advance
-Raj
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
