Hello,
I searched throught the list archives, but didn't find anything pertaining to this issue (or I just didn't search on the correct phrases).
I'm running freeRadius 1.0.1 on RedHat 2.4.21-20.ELsmp (Enterprise ES 3.0). I've got it authenticating against my LDAP servers (several redundant) and everything is working well.
However, I'd like to configure the radius server to allow separate NAS servers to authenticate against separate LDAP filters. To essentially use the radius for several different projects all with different user groups.
Ex. NAS1 authenticates against the ldap and only allows users with attribute-A. NAS2 authenticates against the same ldap and allows users with attribute-B=X. NAS3 authenticates against the same ldaps and allows users with attribute-B=Y.
I'm not sure how this would be possible, but I suspect it involves some combination of authorization/authenticate modules each calling different ldap modules with different filter attributes. And then maybe huntgroups/users set up to choose a different auth-type for each group?
Am I on the right track? Is there an easier way to do this? Or is this something that is not even possible to do with one instance of radiusd? and in that case I will need to run several instances of the daemon to authenticate these different usergroups?
Thanks in Advance, Breeze Howard
I do something similar to send my dialup static IP attribute to my dialup nas and my dsl static IP attribute to my dsl nas. Here is some sample config that should get you on your way:
In the radiusd.conf use something like this to define multiple ldap authentication modules.
============================================================================
ldap ldap_dialup {
server = "127.0.0.1"
basedn = "dc=sample,dc=net"
filter = "(&(uid=%{User-Name})(dialupEnabled=1)(accountEnabled=1))"
dictionary_mapping = ${raddbdir}/ldap_dialup.attrmap
}ldap ldap_dsl {
server = "127.0.0.1"
basedn = "dc=sample,dc=net"
filter = "(&(uid=%{User-Name})(dslEnabled=1)(accountEnabled=1))"
dictionary_mapping = ${raddbdir}/ldap_dsl.attrmap
}authorize {
autztype ldap_dialup {
ldap_dialup
}
autztype ldap_dsl {
ldap_dsl
}
}authenticate {
authtype DSL {
ldap_dsl
} authtype DIALUP {
ldap_dialup
}
}
============================================================================Then define your attribute mapping in ldap_dsl.attrmap and ldap_dialup.attrmap so that both modules use there own maps.
In your users file use:
============================================================================ DEFAULT Auth-Type := DSL, NAS-IP-Address == "xxx", Autz-Type := ldap_dsl Service-Type = Framed-User, Framed-Protocol = PPP, Framed-MTU = 1492
DEFAULT Auth-Type := DIALUP, NAS-IP-Address == "xxx", Autz-Type := ldap_dialup
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-MTU = 1500
============================================================================
That will set a specific Auth-Type and Autz-Type for each nas giving you the ability to define separate filters and attribute maps for your nases even though you are using a single ldap directory.
HTH,
schu
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
