>I have a question to understanding better radius.
>For this i make a simple example-scenario :
>
>I want to use my radius for 2 things :
>
>1. wireless-access for laptops with machine authentication over a
>wireless switch with ip 1.1.1.1
>2. authentication for the login to my switches for some admin-users
>
Create 2 ldap instances.
>My machines (case 1) are in a samba-domain and saved in a openldap-DB
>in the tree :
ldap ldap1 { ... with this:
>basedn = "ou=samba-machines,dc=sb-brixen,dc=it"
>
>My users (case 2), where i select my admins with a ldap-filter are
>also in an openldap-dB in the tree:
and ldap ldap2 with this:
>basedn = "ou=users,dc=sb-brixen,dc=it"
>
>How and where i distinguish this 2 cases?
You can use unlang. ldap1 requests will be coming from 1.1.1.1 and won't
have Service-Type in them (that will be only for admin requests):
if (NAS-IP-Address == 1.1.1.1 && !Service-Type) {
ldap1
}
else {
ldap2
}
Put that in authorize (default virtual server) instead of ldap entry.
Don't bother with forcing auth type ldap - let pap module sort out
authentication.
>In clients.conf i have defined my switches and my network.
>
>For the users-file i have seen som examples like :
>DEFAULT Huntgroup-Name = "vpn-pix",Auth-Type := ldap
>
>But where i define "Huntgroup-Name = "vpn-pix"" is this the normal
>name in the client.conf ?
>
You define huntgroups in - huntgroups file (raddb/huntgroups). I don't
think you need them. You would use them if some admins can have access
to one group of devices and not to another.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
