> Van: freeradius-users- > [EMAIL PROTECTED] > [mailto:freeradius-users- > [EMAIL PROTECTED] Namens Ranner, > Frank MR > Verzonden: dinsdag 17 oktober 2006 4:17 > Aan: FreeRadius users mailing list > Onderwerp: RE: [sec: unclas] Huntgroupname checkitem in LDAP > > > DEFAULT Ldap-Group == `%{Huntgroup-Name}` > Access-Level := RW, > Service-Type = Administrative-User, > Cisco-AVPair := "shell:priv-lvl=15", > Passport-Command-Impact = configuration >
Although this approach Works if you just want to add attributes for a certain huntgroup if a user is member of it. My problem is, I have 2 user databases, one being SQL the other being LDAP/AD I want to be able to specify to which NASses the LDAP/AD user has access too. If it were only LDAP/AD users, everything would work like this: DEFAULT Ldap-Group == `%{Huntgroup-Name}` Fall-Through = no DEFAULT Auth-Type := REJECT In this way, every user that is not a member of a specific Group that matches a Huntgroup name is denied access. But I still have the SQL users and the above rules breaks them. So I changed it to this: DEFAULT SQL-Group == `%{Huntgroup-Name}` Fall-Through = no DEFAULT Ldap-Group == `%{Huntgroup-Name}` Fall-Through = no DEFAULT Auth-Type := REJECT In this way, I need to change my SQL users setup from instead having the Huntgroup-Name in SQL as a checkitem (radgroupcheck) to add every SQL user to a SQL-group having the same name as the huntgroup. This behaviour works but is not really desirable. After searching and experimenting the trick to NOT break EAP/LDAP/SQL but still having everything working like I wanted it to be was just as follows: DEFAULT Ldap-Group == `%{Huntgroup-Name}` Fall-Through = no DEFAULT Auth-Type = LOCAL Fall-Through = Yes This configuration allows for the default SQL behaviour to stay the same, having EAP AND locking Ldap users to the NASes controlled by there groupmembership. Since I spent a long time figuring this out I wanted to share this to the list. My current setup has SQL users + Complete Active Directory integration (having EAP=>NTLM) + LDAP(PAP/etc...) Kind Regards, J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html