> I used to use huntgroups to do this, however recently > discovered in the mailing list archives that the clients.conf > file can be used to better effect with grouping: > ---- > client 2.3.4.0/24 { > shortname = switch > secret = blar > } > client 3.4.5.0/24 { > shortname = switch > secret = hoot > > vendor = allied-telesis > } > client 1.2.3.0/28 { > shortname = console > secret = honk > } > ---- > > Then in your virtual server you can use something like: > ---- > authorize { > > .... > > update request { > # NAS-Vendor is a local custom dict addition > NAS-Vendor := "%{client:vendor}" > NAS-Identifier := "%{client:shortname}" > } > > .... > > files > > .... > > } > ---- > > Your 'users' file then has: > ---- > DEFAULT NAS-Identifier == switch, NAS-Vendor == > allied-telesis, LDAP-Group == netref > Service-Type = Administrative-User DEFAULT > NAS-Identifier == switch, LDAP-Group == netref > Service-Type = NAS-Prompt-User, Cisco-AVPair = > "shell:priv-lvl=15" > DEFAULT NAS-Identifier == switch, Auth-Type := Reject > ---- > > You can actually add *anything* to the client subsections > ('shortname' > and 'secret' are the only FreeRADIUS variables in there, the 'vendor' > bit is not known to FreeRADIUS) and FreeRADIUS will simply > ignore it but it is accessible via '%{client:NAME}'. > > The advantage with this approach is that you are doing the > NAS grouping in the clients.conf file rather than potentially > duplicating it in the 'hints' and/or huntgroups file. > > Cheers >
Many many thanks for this. Strangely enough, I already have the major groups in clients.conf for other reasons and the ultimate goal is to control logins on our cisco infrastructure and thus retire ACS. You've given me a lot of help. Thanks, Leighton --- This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html