I currently have my RADIUS servers setup to handle authentication for
my various NAS's to grant users access to network resources.
I would like to use the same servers to handle authentication for SSH
for various routers. This all works, but I'm having a hard time
getting the RADIUS server to only accept requests from users of the
"ssh" group. I obviously don't want john.doe accessing my core
routers.
What is the best way to go about this? I was trying to use unlang to
query my database but can't seem to get the syntax right.
contents of sites-enabled/default:
...authorize {
preprocess
if (Service-Type == "Login-User")
if ( %{group_membership_query} == "ssh") {
update reply {
ok-to-continue
}
}
else {
update reply {
Auth-Type := Reject
}
}....
The group_membership_query would reference this:
group_membership_query = "SELECT groupname \
FROM ${usergroup_table} \
WHERE username = '%{SQL-User-Name}' \
ORDER BY priority"
Any help/suggestions would be much appreciated.
Sincerely,
William Burnett
[email protected]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
