Huntgroups, Users and Proxy

Walt Reynolds waltr at umich.edu
Tue Dec 12 22:23:43 CET 2006


I am going in circles here and not getting anywhere.  I will try to 
describe what I want to do starting with huntgroups.

huntgroup:
All             NAS-IP-Address == 10.213.226.1
All             NAS-IP-Address == 10.213.226.2
All             NAS-IP-Address == 10.213.226.3
All             NAS-IP-Address == 192.168.224.5
All             NAS-IP-Address == 192.168.224.36
All             NAS-IP-Address == 172.213.226.46

Bldg1           NAS-IP-Address == 10.213.226.1
Bldg1           NAS-IP-Address == 10.213.226.2
Bldg1           NAS-IP-Address == 10.213.226.3
Bldg1		NAS-IP-Address == 192.168.224.5
Bldg1           NAS-IP-Address == 192.168.224.36

Bldg2		NAS-IP-Address == 172.213.226.46

UnitA		NAS-IP-Address == 10.213.226.1
UnitA		NAS-IP-Address == 10.213.226.2
UnitA		NAS-IP-Address == 10.213.226.3
UnitA		NAS-IP-Address == 172.213.226.46

UnitB		NAS-IP-Address == 192.168.224.5
UnitB           NAS-IP-Address == 192.168.224.36
UnitB		NAS-IP-Address == 172.213.226.46

UnitAB		NAS-IP-Address == 172.213.226.46	

TypeVPN		NAS-IP-Address == 192.168.224.5

TypeGW		NAS-IP-Address == 192.168.224.36

===========================

Now, what I need is multiple proxy statements for each.  For example I want

For each group below, in addition to what is listed, I want default to 
fall through to (proxy to):
realm DEFAULT {
        type            = radius
	authhost        = highered.edu
	accthost        = highered.edu
	nostrip
===================

"All" 	Authenticate with a Null Realm
	or
	Authenticate user at generic.edu	
"Bldg1" Authenticate with a Null Realm
	or
	Authenticate user at generic.edu
"UnitA" Authenticate with user at unita.generic.edu
	or
	Authenticate with Null Realm
	or
	Authenticate user at generic.edu
	But NOT
	user at unitb.generic.edu
"UnitB" Authenticate with user at unitb.generic.edu
	or
	Authenticate with Null Realm
	or
	Authenticate user at generic.edu
	but NOT
	user at unita.generic.edu
"UnitAB" Authenticate with user at unita.generic.edu
	 or
	 Authenticate with user at unitb.generic.edu
	 or
	user at generic.edu
	or
	Null realm
"TypeVPN" Authenticate ONLY with Null Realm

So I can add these as DEFAULT users in the users file, based on 
huntgroup, but from there I am at a loss as to what entry to put and the 
config in proxy.conf to match.

I think I could do the following

users:
DEFAULT Huntgroup-Name == TypeVPN, Proxy-To-Realm := realm1.edu
DEFAULT Huntgroup-Name == TypeGW, Proxy-To-Realm := realm2.edu
DEFAULT Huntgroup-Name == UnitAB, Proxy-To-Realm := realm3.edu
DEFAULT Huntgroup-Name == UnitA, Proxy-To-Realm := realm4.edu
DEFAULT Huntgroup-Name == UnitB, Proxy-To-Realm := realm5.edu
DEFAULT Huntgroup-Name == BLDG1, Proxy-To-Realm := realm6.edu
DEFAULT Huntgroup-Name == Bldg2, Proxy-To-Realm := realm7.edu
DEFAULT Huntgroup-Name == All, Proxy-To-Realm := realm8.edu

But how can I get them to only allow certain @realms?  Is there a way to 
define in here something like this?

DEFAULT Huntgroup-Name == UnitA, *@unita.generic.edu Proxy-To-Realm := 
realm4.edu

but then in proxy.conf how can I keep it so it does not allow UnitA 
users to authenticate on UnitB NAS's (unless it is a UnitAB)but still 
allows user at generic.edu, Null and DEFAULT proxy as mentioned above?

I have looked at the mailing list and found many setups, but none seem 
to take into account the actual realm a user tries to log into.

Thanks.

-- 
    Walter Reynolds
    Principle Systems Security Development Engineer
    Information Technology Central Services
    University of Michigan
    (734)615-9438



More information about the Freeradius-Users mailing list