Hi, On Tue, Apr 16, 2013 at 02:05:45PM -0500, John Giordano wrote: > So I man’ed unlang and then did some more reading on huntgroups > and the users file. If at all possible I think we would opt for > a combo of the huntgroups/users file approach. I am still not > clear as to how we would do this though…. > > Could you please speak to the interrelationship between the > clients file and the huntgroups file?
The clients file lists clients (NASes) that can talk the the server. The huntgroups file (read by the preprocess module, not the files module as in the comments at the top of the file) is used to match incoming request attributes to set the Huntgroup-Name attribute, which can be further used to set other attributes in the reply (for example, in the users file, or by using unlang). The users file (read by the files module) can match on request attributes to set reply attributes. The standard lookup is for User-Name; this can be changed, or a DEFAULT entry can be used to match anything else. > My first question is that every huntgroups file example I have seen on the > Net uses a per NAS definition: > > raleigh NAS-IP-Address == 192.168.1.101 > raleigh NAS-IP-Address == 192.168.1.102 > raleigh NAS-IP-Address == 192.168.1.103 > premium NAS-IP-Address == 192.168.1.101, NAS-Port-Id == 0-4 > Group = premium, > Group = staff > > I would rather not have to define 254 different entries in our > huntgroups file (254 hosts in a Class C obviously). Can I use a > netmask somehow in the huntgroups file? It's a check list, so you should be able to use any standard check operator - so try regex, for example: huntgroups: foo NAS-IP-Address =~ /^10\.2\.3\./ bar NAS-IP-Address =~ /^10\.4\.9\./ users: (add these at the *top* of the file) DEFAULT Huntgroup-Name == foo Idle-Timeout := 600 Fall-Through := yes DEFAULT Huntgroup-Name == bar Idle-Timeout := 1200 Fall-Through := yes > In pseudo parlance this is what I am trying to accomplish in huntgroups: > > MSP 7345’s NAS-IP-Address == 10.99.3.0/24 > IDLE-TIMEOUT = 1800 > > SNJ 7000 NAS-IP-Address == 10.3.99.0/24 > IDLE-TIMEOUT = 60 Note that Client-IP-Address is sometimes better than NAS-IP-Address (it can't be spoofed, which may be the case if you process proxied requests from RADIUS servers out of your own control), but Client-IP-Address can *not* be used in the huntgroups file as it only looks at the incoming request attributes, of which Client-IP-Address is not. If this is a concern there are ways of getting around it. One is to use unlang instead of the huntgroups file, as Alan suggested. Note the above splits the config over two locations. If you want to keep it all in one place, use unlang like Alan said. If it doesn't look tidy, put it in the policy.conf file and then call the policy name instead. Matthew -- Matthew Newton, Ph.D. <m...@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ith...@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html