RE: Groups of NASs by IP

[Leighton Man]

> I used to use huntgroups to do this, however recently
> discovered in the mailing list archives that the clients.conf
> file can be used to better effect with grouping:
> 
> client 2.3.4.0/24 {
> shortname   = switch
> secret  = blar
> }
> client 3.4.5.0/24 {
>   shortname   = switch
>   secret  = hoot
>
>   vendor  = allied-telesis
> }
> client 1.2.3.0/28 {
> shortname   = console
> secret  = honk
> }
> 
>
> Then in your virtual server you can use something like:
> 
> authorize {
>
> 
>
>   update request {
>   # NAS-Vendor is a local custom dict addition
>   NAS-Vendor  := "%{client:vendor}"
>   NAS-Identifier  := "%{client:shortname}"
>   }
>
> 
>
>   files
>
> 
>
> }
> 
>
> Your 'users' file then has:
> 
> DEFAULT NAS-Identifier == switch, NAS-Vendor ==
> allied-telesis, LDAP-Group == netref
> Service-Type = Administrative-User DEFAULT
> NAS-Identifier == switch, LDAP-Group == netref
> Service-Type = NAS-Prompt-User, Cisco-AVPair =
> "shell:priv-lvl=15"
> DEFAULT NAS-Identifier == switch, Auth-Type := Reject
> 
>
> You can actually add *anything* to the client subsections
> ('shortname'
> and 'secret' are the only FreeRADIUS variables in there, the 'vendor'
> bit is not known to FreeRADIUS) and FreeRADIUS will simply
> ignore it but it is accessible via '%{client:NAME}'.
>
> The advantage with this approach is that you are doing the
> NAS grouping in the clients.conf file rather than potentially
> duplicating it in the 'hints' and/or huntgroups file.
>
> Cheers
>

Many many thanks for this. Strangely enough, I already have the major groups in 
clients.conf for other reasons and the ultimate goal is to control logins on 
our cisco infrastructure and thus retire ACS. You've given me a lot of help.
Thanks,

Leighton


---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Groups of NASs by IP

[Alexander Clouter]

Leighton Man  wrote:
> 
> I would like to group NASs by ip address but as I have a few hundred, 
> I don't want to maintain a list.
> 
> Can I configure ip address ranges in huntgroups eg. Group1 
> NAS-IP-Address == 192.168.1.101 - 105 If not, can I use regular 
> expressions?
> 
> How else can I do this? What is the best way?
> 
I used to use huntgroups to do this, however recently discovered in the 
mailing list archives that the clients.conf file can be used to better 
effect with grouping:

client 2.3.4.0/24 {
shortname   = switch
secret  = blar
}
client 3.4.5.0/24 {
shortname   = switch
secret  = hoot

vendor  = allied-telesis
}
client 1.2.3.0/28 {
shortname   = console
secret  = honk
}


Then in your virtual server you can use something like:

authorize {



  update request {
  # NAS-Vendor is a local custom dict addition
  NAS-Vendor  := "%{client:vendor}"
  NAS-Identifier  := "%{client:shortname}"
  }



  files



}


Your 'users' file then has:

DEFAULT NAS-Identifier == switch, NAS-Vendor == allied-telesis, LDAP-Group == 
netref
Service-Type = Administrative-User
DEFAULT NAS-Identifier == switch, LDAP-Group == netref
Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:priv-lvl=15"
DEFAULT NAS-Identifier == switch, Auth-Type := Reject


You can actually add *anything* to the client subsections ('shortname' 
and 'secret' are the only FreeRADIUS variables in there, the 'vendor' 
bit is not known to FreeRADIUS) and FreeRADIUS will simply ignore it but 
it is accessible via '%{client:NAME}'.

The advantage with this approach is that you are doing the NAS grouping 
in the clients.conf file rather than potentially duplicating it in the 
'hints' and/or huntgroups file.

Cheers

-- 
Alexander Clouter
.sigmonster says: Your boyfriend takes chocolate from strangers.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html