Locking realm access to a specific huntgroup
Hello, I have different NAS and each type of NAS is grouped together in a huntgroup. I need to make an addition to my radius setup to proxy requests with a certain realm to a specified server. Proxying is already working but I want to lock the users using that specific realm to a specific huntgroup so that its only possible for them to login on predefined NASgroup. I don't have access to the remote proxy server. Using attr_filter isn't an option since this only filters replys. Anyone knows how to do this? Thx in advance and kind regards, Jonathan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Locking realm access to a specific huntgroup
Jonathan De Graeve wrote: I have different NAS and each type of NAS is grouped together in a huntgroup. I need to make an addition to my radius setup to proxy requests with a certain realm to a specified server. Proxying is already working but I want to lock the users using that specific realm to a specific huntgroup so that its only possible for them to login on predefined NASgroup. You could try to manually set the Proxy-To-Realm variable in the users file instead of using the realm module. For example, test with something like that: DEFAULT User-Name =~ @foo\.net$, Huntgroup-Name == bar, Proxy-To-Realm := foo.net Using attr_filter isn't an option since this only filters replys. The attr_filter module can be used in both pre-proxy and post-proxy sections. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Locking realm access to a specific huntgroup
You could try to manually set the Proxy-To-Realm variable in the users file instead of using the realm module. For example, test with something like that: DEFAULT User-Name =~ @foo\.net$, Huntgroup-Name == bar, Proxy-To-Realm := foo.net Ok, this is working :) (I tried the same with a wrong regexp) Using attr_filter isn't an option since this only filters replys. The attr_filter module can be used in both pre-proxy and post-proxy sections. Indeed but if I understand it right, you can't distinct between the 2 types? Furthermore, this only changes/filters attributes while I needed to check the huntgroup to the local radius. Since the DEFAULT trick works, I'm happy :) Thx a lot ;) J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Locking realm access to a specific huntgroup
Jonathan De Graeve wrote: Using attr_filter isn't an option since this only filters replys. The attr_filter module can be used in both pre-proxy and post-proxy sections. Indeed but if I understand it right, you can't distinct between the 2 types? You can't. But you can have 2 module instances for each section :) Furthermore, this only changes/filters attributes while I needed to check the huntgroup to the local radius. You're right, and this is the reason why attr_filter isn't suitable in your case. Since the DEFAULT trick works, I'm happy :) Thx a lot ;) You're welcome :) -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html