Re: Help mixing proxied and non-proxied auth mechanisms

Thu, 16 Mar 2006 06:18:12 -0800 

Geoff Silver wrote:


DEFAULT My-Group != "known", Auth-Type := Reject

DEFAULT  Auth-Type:=Accept, Huntgroup-Name=="Office", Hint==Port-1812
        Connect-Info="OFFICE_NET"
DEFAULT  Huntgroup-Name=="Office", Hint==Port-1645, Proxy-To-Realm := PROXY_GW
        Connect-Info="OFFICE_NET"


That will work for the simple case I provided, but my users file is actually a
bit more complicated.  There are multiple NAS-IP-Address and/or Huntgroups
available, and not all users have access to all of them.  The only thing
guaranteed is that any user who *has* an entry actually has two, one with a
Hint==Port-1645 and the other with Hint--Port-1812.

Perhaps a better users file example would be:

user01  Auth-Type:=Accept, NAS-IP-Address==10.1.2.3, Hint==Port-1812
user01  Auth-Type:=Accept, NAS-IP-Address==10.1.2.4, Hint==Port-1812
user01  NAS-IP-Address==10.1.2.3, Hint==Port-1645, Proxy-To-Realm:=PROXY_GW
user02  Auth-Type:=Accept, NAS-IP-Address==10.1.2.3, Hint==Port-1812
user03  NAS-IP-Address==10.1.2.4, Hint==Port-1645, Proxy-To-Realm:=PROXY_GW

Additionally, none of these folks have (or can have) /etc/passwd accounts on
this system, so I'm not sure that rlm_passwd will work for me necessarily
(plus, we're back to the "not every user has access to every NAS/Huntgroup"
problem).



rlm_passwd would be better named "rlm_lookup" or "rlm_mapping" or 
"rlm_keyval". I use it very successfully after a hint from Alan to cut 
down combinatorial explosion:


modules {
  passwd nas2kind {
    file = /etc/raddb/nas2kind
    format = "*NAS-IP-Address:~NasKind"
  }
  passwd user2group {
    file = /etc/raddb/user2group
    format = "*User-Name:~Group"
  }
}
authorize {
  preprocess
  nas2kind
  user2group
  users
}

/etc/nas2kind:

10.1.2.3:type1
10.1.2.4:type2

/etc/user2group:

user01:nasgroup1-p1812
user01:nasgroup2-p1812
user01:nasgroup1
user02:nasgroup1-p1812
user03:nasgroup2-p1812


/etc/raddb/users:

# Skip unknown users
DEFAULT Group !* ANY, Auth-Type := Reject


DEFAULT Group=="nasgroup1-p1812", NasKind=="type1", Hint==Port-1812, 
Auth-Type := Accept



DEFAULT Group=="nasgroup2-p1812", NasKind=="type2", Hint==Port-1812, 
Auth-Type := Accept



DEFAULT Group=="nasgroup1", NasKind=="type1", Hint==Port-1645, 
Proxy-To-Realm := PROXY_GW



DEFAULT Group=="nasgroup2", NasKind=="type2", Hint==Port-1645, 
Proxy-To-Realm := PROXY_GW



Hopefully that's clear.


Note that the passwd instances are defined to add the values to the 
request (because it's hard to match on == for config/reply items in 
users) so you'll need to make sure those value names are in a local 
dictionary somewhere.



Note also that the above is a literal translation of your most recent 
email - I believe in your original email you matched on Huntgroup-Name, 
in which case you can skip the NasKind mapping and simplify things somewhat.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html













    











					Reply via email to