HI, I realize this was a thread from over a month ago, but thought I'd ask anyway. I have my original post, followed by your reply, followed by my new question.
First off, my original post: >We're using FreeRadius to authenticating our wireless users (who's >credentials are stored in LDAP). But we'd also like to use it to >authenticate a select few users who need access to our networking gear. Our >networking gear is setup to do this, but I'm not sure how to set this up in >FreeRadius. > >I would assume that you'd specify in the clients.conf section which users >are allowed access to that device, but in looking at the documentation for >clients.conf, that doesn't seem to be the case. ============ And your reply: You would want to use the special username DEFAULT. (Check the man page for users(5).) What I did (although this might be slightly hackish.) is I took a look at the attributes in the request that was being sent by the supplicant. I looked for attributes that were different between the wireless users and the network equipment users. For example, you might want to do something like: "admin1" NAS-Port-Type == "Virtual", Auth-Type = LDAP "admin2" NAS-Port-Type == "Virtual", Auth-Type = LDAP # This matches everyone else DEFAULT NAS-Port-Type == "Virtual", Auth-Type := Reject # This will match all wireless users DEFAULT NAS-Port-Type == "Wireless-802.11", Auth-Type = LDAP Of course, this will mean that your network admins will *only* be able to login via LDAP. You may need to configure some kind of Fall-Through if you want users to authenticate using some other mechanism in addition to LDAP. So this is not without its limitations, but this should give you some ideas to start from. -- John Guthrie [EMAIL PROTECTED] ===================== My question here is, would doing what you mentioned above eliminate the possibility of users other than admin1 or admin2 authenticating to the network via that switch? What we're trying to do is rather odd I guess. On one hand, we want to use the switch as an 802.1x device for regular use. So it has to be able to authenticate at the switch port level via 802.1x. We currently have huntgroups for that and it works. We'd ALSO like to be able to use Radius to authenticate our comms staff when they telnet/login to switches mgmt interfaces. So while I think your suggestion above would work for that part, it would at the same time deny all my 802.1x users because of the Reject statement? I'm a bit confused, so any help is appreciated. Cheers Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html