Alan DeKok wrote: > You appear to have two independent requirements: > > 1) port 1645 versus 1812 checks > 2) allowing only known users > > The first can be solved by what you have. The second can be solved > by putting all of the known users into a group (see rlm_passwd). > Then, in the "users" file, do: > > DEFAULT My-Group != "known", Auth-Type := Reject > > DEFAULT Auth-Type:=Accept, Huntgroup-Name=="Office", Hint==Port-1812 > Connect-Info="OFFICE_NET" > DEFAULT Huntgroup-Name=="Office", Hint==Port-1645, Proxy-To-Realm := PROXY_GW > Connect-Info="OFFICE_NET"
That will work for the simple case I provided, but my users file is actually a bit more complicated. There are multiple NAS-IP-Address and/or Huntgroups available, and not all users have access to all of them. The only thing guaranteed is that any user who *has* an entry actually has two, one with a Hint==Port-1645 and the other with Hint--Port-1812. Perhaps a better users file example would be: user01 Auth-Type:=Accept, NAS-IP-Address==10.1.2.3, Hint==Port-1812 user01 Auth-Type:=Accept, NAS-IP-Address==10.1.2.4, Hint==Port-1812 user01 NAS-IP-Address==10.1.2.3, Hint==Port-1645, Proxy-To-Realm:=PROXY_GW user02 Auth-Type:=Accept, NAS-IP-Address==10.1.2.3, Hint==Port-1812 user03 NAS-IP-Address==10.1.2.4, Hint==Port-1645, Proxy-To-Realm:=PROXY_GW Additionally, none of these folks have (or can have) /etc/passwd accounts on this system, so I'm not sure that rlm_passwd will work for me necessarily (plus, we're back to the "not every user has access to every NAS/Huntgroup" problem). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html