On 31 Aug 2011, at 13:17, [email protected] wrote: >> Thanks for the answer! >> >> But there are several problems for me: >> - i have no access to ldap, new groups are not as easy to implement as in >> small environments >> - i already have more than 20 DEFAULT-entries for different >> huntgroup/ldap-group combinations >> and splitting nexus to nexus_RO and nexus_RW means adding additional 5 >> entries minimum >> I´m searching for a more scalable solution. If the next team should get >> access to different >> devices, and then the third team to a third group of devices, or other >> rights... > > Hi, > > In this thread i found a hint for my config: > > http://freeradius.1045715.n5.nabble.com/huntgroups-question-td2756193.html > > "The huntgroups are a bit of a hack for backwards compatibility going > back almost a decade. For 2000 machines, I would suggest using > rlm_passwd. See the "man rlm_passwd" page for an example of setting up > groups based on User-Name. The same method can be used to set up groups > based on Client-IP-Address. You then have groups controlled by a flat > text file, which is pretty easy to manage." > > passwd groups_local { > filename = /etc/raddb/groups_local > format = "~My-Device-Group:*NAS-IP-Address" > hashsize = 50 > ignorenislike = no > allowmultiplekeys = no > delimiter = ":" > } > > Groups_local: > readonly:127.0.0.1 > > Groups_local is called in section "authorize" just after "preprocess". > > I always got "returs notfound". If i add User-Name to the config, it´s > working. > But i didn´t want to check the username, i just want to add an other flag > (My-Device-Group) > additional to huntgroups. >
Did you remember to actually define 'My-Device-Group' as an attribute? -Arran Arran Cudbard-Bell [email protected] RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
