> I used to use huntgroups to do this, however recently
> discovered in the mailing list archives that the clients.conf
> file can be used to better effect with grouping:
>
> client 2.3.4.0/24 {
> shortname = switch
> secret = blar
> }
> client 3.4.5.0/24 {
> shortname = switch
> secret = hoot
>
> vendor = allied-telesis
> }
> client 1.2.3.0/28 {
> shortname = console
> secret = honk
> }
>
>
> Then in your virtual server you can use something like:
>
> authorize {
>
>
>
> update request {
> # NAS-Vendor is a local custom dict addition
> NAS-Vendor := "%{client:vendor}"
> NAS-Identifier := "%{client:shortname}"
> }
>
>
>
> files
>
>
>
> }
>
>
> Your 'users' file then has:
>
> DEFAULT NAS-Identifier == switch, NAS-Vendor ==
> allied-telesis, LDAP-Group == netref
> Service-Type = Administrative-User DEFAULT
> NAS-Identifier == switch, LDAP-Group == netref
> Service-Type = NAS-Prompt-User, Cisco-AVPair =
> "shell:priv-lvl=15"
> DEFAULT NAS-Identifier == switch, Auth-Type := Reject
>
>
> You can actually add *anything* to the client subsections
> ('shortname'
> and 'secret' are the only FreeRADIUS variables in there, the 'vendor'
> bit is not known to FreeRADIUS) and FreeRADIUS will simply
> ignore it but it is accessible via '%{client:NAME}'.
>
> The advantage with this approach is that you are doing the
> NAS grouping in the clients.conf file rather than potentially
> duplicating it in the 'hints' and/or huntgroups file.
>
> Cheers
>
Many many thanks for this. Strangely enough, I already have the major groups in
clients.conf for other reasons and the ultimate goal is to control logins on
our cisco infrastructure and thus retire ACS. You've given me a lot of help.
Thanks,
Leighton
---
This transmission is confidential and may be legally privileged. If you receive
it in error, please notify us immediately by e-mail and remove it from your
system. If the content of this e-mail does not relate to the business of the
University of Huddersfield, then we do not endorse it and will accept no
liability.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html