David Bailey wrote:
> The problem is that although I have some 250 client definitions in
> clients.conf, I'd rather avoid using 250 definitions in users.
> 
> I'm trying to find a way to categorize the RADIUS clients into Cisco, HP,
> etc.

  You could use groups.  See "man rlm_passwd" for examples.  You can
create groups based on any criteria.  Then, just do group checking.

> What I was trying to do was to give each client a name:
> 
> client Cisco_IOS.host-10.1.2.3 {
>   ipaddr = 10.1.2.3
>   secret = supersecret
> }
> 
> client HP_Procurve.host-10.3.2.1 {
>   ipaddr = 10.3.2.1
>   secret = alsoverysecret
> }

  One undocumented feature is that you can put *anything* into the
configuration, so long as it is the correct format:

client a {
        ipaddr = 10.1.2.3
        secret = foo
        vendor = cisco
}

  FreeRADIUS will load the "vendor" entry, but it won't do anything with
it. You can then create rules bases on that,

> And then build something to refer to them in the users file along the lines
> of:

  Don't use the "users" file.  See "man unlang" for a better wy.

> DEFAULT Client-Shortname =~ "Cisco_IOS.*", User-Name := "someadmin",
> Cleartext-Password := "goodpassword"
>   Service-Type = NAS-Prompt-User

  Don't use ":=" for User-Name.  See "man users" for why.

> I'm having some problems, so I'm either missing something, or I'm going down
> an entirely wrong path. I got the "Client-Shortname" from the Run-time
> variables page in the Wiki, but I suspect it isn't evaluating like I think
> it ought to.

  Try unlang:

authorize {
        ...

        if ("%{client:vendor}" == "cisco") {
                ...
        }
        ...
}

  This says: look up the current client (for this request), and find the
"vendor' entry.  If that is "cisco", then do... something.

  It's a lot clearer to understand than the "users" file.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to