2010/12/6 Dan White <[email protected]>: > On 06/12/10 15:34 +0300, c0re wrote: >> >> 2010/12/1 Dan White <[email protected]>: >> Thanks for example! >> >> But it still requires to edit clients.conf when adding device. And not >> restricts by groups. > > That's true, unless you have some of your clients coming from behind > one NAT address. I'm not aware of any way around that. > >> As per http://wiki.freeradius.org/Rlm_ldap I can use >> >> groupmembership_filter = >> >> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" >> >> If there any other variables that can be used? I mean not only >> Ldap-userDn, but something like Ldap-clientIP, or Ldap-clientHostname >> or anything else to unique identify remote device. So I can use >> dynamic groups in OpenLdap and restrict access to device by group >> membership. > > As for the client IP, or other identifying information of the > authenticating device, I've always tried to use huntgroups to identify the > device rather than trying to perform a match in the LDAP filter, but that > approach might work just fine. > > Keep in mind that different types of devices will send more or less > information in its RADIUS request. Running freeradius in '-X' mode, and > sending a sample request will show you the information that you might be > able to match on. > > -- > Dan White >
Thanks for tip about -X mode, will do it if get troubles. Found very interesting message in mailists here: http://lists.freeradius.org/pipermail/freeradius-users/2010-October/msg00058.html Even more interesting - storing NAS secret in ldap! And using variable Packet-Src-IP-Address to differ source devices. Will try to get it work at this week.
