Hello Troy -
You can use cascaded AuthBy clauses for this.
------------------------------------------------------
<Client DEFAULT>
Secret xxxxxxxxx
DupInterval 0
</Client><AuthBy GROUP>
Identifier vpn
<AuthBy GROUP>
AuthByPolicy ContinueUntilReject <AuthBy NCSU>
</AuthBy> <AuthBy GROUP>
Identifier vpn_groups
AuthByPolicy ContinueWhileReject
#foo user
<AuthBy HesiodGroup>
HesiodAllow foo
HesiodDeny disable
AddToReply Class="OU=foo;"
</AuthBy>
#bar users
<AuthBy HesiodGroup>
HesiodAllow bar
HesiodDeny disable
StripFromReply Class
AddToReply Class="OU=bar;"
</AuthBy>
#dog user
<AuthBy HesiodGroup>
HesiodAllow dog
HesiodDeny disable
StripFromReply Class
AddToReply Class="OU=dog;"
</AuthBy>
#cat users
<AuthBy HesiodGroup>
HesiodAllow cat
HesiodDeny disable
StripFromReply Class
AddToReply Class="OU=cat;"
</AuthBy>
</AuthBy>
</AuthBy>
</AuthBy><AuthBy FILE>
Identifier vpn.users
Filename %D/vpn.users
</AuthBy><Handler NAS-IP-Address=vpn-address>
RewriteUsername s/^([EMAIL PROTECTED]).*/$1/
RewriteUsername tr/A-Za-z0-9//cd
AuthBy vpn.users
AcctLogFileName /radius-dir/vpn
</Handler>Then the file "vpn.users" would contain this:
# vpn.users
DEFAULT Auth-Type = vpn
userA Auth-Type = vpn
Framed-IP-Address = a.a.a.auserB Auth-Type = vpn
Framed-IP-Address = b.b.b.b.......
regards
Hugh
On Thursday, Mar 20, 2003, at 08:45 Australia/Melbourne, Troy Holder wrote:
We are setting up our VPN so that everyone will use a default group when
connecting to the concentrator. I then have my radius server set up to
check their password with kerberos (via AuthBy NCSU) and then check
their classification via Hesiod ( via AuthBy hesiod) to see what group
to put them in on the vpn.
We want to allow certain users to have a static IP address (user a gets
IP a where user b gets IP b). I know that I can use the following to set
a users IP address:
AddToReply Framed-IP-Address = a.b.c.d
What I have not figured out is a scalable way to do this with multiple
users. I know I can add a handler for every user and add the AddToReply
line there, but I may have a few dozen down the road and do not want my
config to grow so much. I would like to either put the users and IPs in
a db or in a flat file.
The part of my config that is used by the VPN concentrator is below.
Does anyone have a suggestion?
------------------------------------------------------ <Client DEFAULT> Secret xxxxxxxxx DupInterval 0 </Client>
<AuthBy GROUP> Identifier vpn <AuthBy GROUP> AuthByPolicy ContinueUntilReject
<AuthBy NCSU> </AuthBy>
<AuthBy GROUP> Identifier vpn_groups AuthByPolicy ContinueWhileReject #foo user <AuthBy HesiodGroup> HesiodAllow foo HesiodDeny disable AddToReply Class="OU=foo;" </AuthBy> #bar users <AuthBy HesiodGroup> HesiodAllow bar HesiodDeny disable StripFromReply Class AddToReply Class="OU=bar;" </AuthBy> #dog user <AuthBy HesiodGroup> HesiodAllow dog HesiodDeny disable StripFromReply Class AddToReply Class="OU=dog;" </AuthBy> #cat users <AuthBy HesiodGroup> HesiodAllow cat HesiodDeny disable StripFromReply Class AddToReply Class="OU=cat;" </AuthBy> </AuthBy> </AuthBy> </AuthBy>
<Handler NAS-IP-Address=vpn-address> RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ RewriteUsername tr/A-Za-z0-9//cd AuthBy vpn AcctLogFileName /radius-dir/vpn </Handler>
-- ----------------------------------- | Troy Holder [EMAIL PROTECTED] | | Senior Network Engineer | | Communication Technologies | | North Carolina State University | ----------------------------------- === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
