Re: Huntgroups, Users and Proxy

[Walt Reynolds <waltr@umich.edu>]

Just checking back to see if anyone can let me know if I am on the right 
track.  Thanks.

-------- Original Message --------
Subject: Re: Huntgroups, Users and Proxy
Date: Wed, 13 Dec 2006 15:17:44 -0500
From: Walt Reynolds <waltr@umich.edu>
To: freeradius-users@lists.freeradius.org


> Date: Wed, 13 Dec 2006 08:05:32 +0000
> From: B Thompson <bt4@york.ac.uk>
> Subject: Re: Huntgroups, Users and Proxy
> To: FreeRadius users mailing list
> 	<freeradius-users@lists.freeradius.org>
> Message-ID: <20061213080532.GA2261@grande.york.ac.uk>
> Content-Type: text/plain; charset=us-ascii
>
> On Tue, Dec 12, 2006 at 04:23:43PM -0500, Walt Reynolds wrote:
> > I am going in circles here and not getting anywhere.  I will try to 
> > describe what I want to do starting with huntgroups.
> >
> > huntgroup:
> > All             NAS-IP-Address == 10.213.226.1
> > All             NAS-IP-Address == 10.213.226.2
> > All             NAS-IP-Address == 10.213.226.3
> > All             NAS-IP-Address == 192.168.224.5
> > All             NAS-IP-Address == 192.168.224.36
> > All             NAS-IP-Address == 172.213.226.46
> >
> > Bldg1           NAS-IP-Address == 10.213.226.1
> > Bldg1           NAS-IP-Address == 10.213.226.2
> > Bldg1           NAS-IP-Address == 10.213.226.3
> > Bldg1		NAS-IP-Address == 192.168.224.5
> > Bldg1           NAS-IP-Address == 192.168.224.36
> >
> > Bldg2		NAS-IP-Address == 172.213.226.46
>
> You can't have the same IP address in more than one huntgroup - See bug
> #233.
>
>  http://bugs.freeradius.org/show_bug.cgi?id=233
>
> The solution is to use rlm_passwd instead.

Ok, Thanks for that info.  Now lets say I put each NAS in one huntgroup
(I added the extra groups for possibilities.

So lets say I have the following:

UnitA        NAS-IP-Address == 10.213.226.1
UnitA        NAS-IP-Address == 10.213.226.2
UnitA        NAS-IP-Address == 10.213.226.3

UnitB        NAS-IP-Address == 192.168.224.5

UnitAB        NAS-IP-Address == 172.213.226.46

TypeVPN        NAS-IP-Address == 192.168.224.5

TypeGW        NAS-IP-Address == 192.168.224.36

So this sets each NAS into a single group.  The rest of my question I am
still confused about.
"UnitA" Authenticate with user@unita.generic.edu
    or
    Authenticate with Null Realm
    or
    Authenticate user@generic.edu
    But NOT
    user@unitb.generic.edu
"UnitB" Authenticate with user@unitb.generic.edu
    or
    Authenticate with Null Realm
    or
    Authenticate user@generic.edu
    but NOT
    user@unita.generic.edu
"UnitAB" Authenticate with user@unita.generic.edu
     or
     Authenticate with user@unitb.generic.edu
     or
    user@generic.edu
    or
    Null realm
"TypeVPN" Authenticate ONLY with Null Realm
"TypeGW" authenticate with Null realm or generic.edu

So would I add the following to the users file: (Not sure about UnitAB
and TypeVPN with Fall-Through = No.  I think the rest is right though)

DEFAULT Huntgroup-Name == UnitAB, User-Name =~ *@unita.generic.edu",
Proxy-To-Realm := unita.generic.edu
	Fall-Through = Yes
DEFAULT Huntgroup-Name == UnitAB, User-Name =~ *@unitb.generic.edu",
Proxy-To-Realm := unitb.generic.edu
	Fall-Through = Yes
DEFAULT Huntgroup-Name == UnitA, Proxy-To-Realm := unita.generic.edu
	Fall-Through = Yes
DEFAULT Huntgroup-Name == UnitB, Proxy-To-Realm := unitb.generic.edu
	Fall-Through = Yes
DEFAULT Huntgroup-Name == TypeGW, Proxy-To-Realm := generic.edu
	Fall-Through = Yes
DEFAULT Huntgroup-Name == TypeVPN, Proxy-To-Realm := NULL
	Fall-Through = No

Then in the proxy.conf

proxy server {
        synchronous = no
        retry_delay = 5
        retry_count = 3
        dead_time = 120
        default_fallback = yes
        post_proxy_authorize = yes
}

realm unita.generic.edu {
        type        	= radius
        authhost        = radius.unita.generic.edu:1812
        accthost        = radius.unita.generic.edu:1813
        nostrip
}
realm unitb.generic.edu {
        type        	= radius
        authhost        = radius.unita.generic.edu:1812
        accthost        = radius.unita.generic.edu:1813
        nostrip
}

realm generic.edu {
        type        	= radius
        authhost        = LOCAL
        accthost        = LOCAL
        strip
}
realm NULL {
       type            = radius
       authhost        = LOCAL
       accthost        = LOCAL
}


realm DEFAULT {
       	type            = radius
    	authhost        = radius.highered.edu:1812
    	accthost        = radius.highered.edu:1812
	secret          = XXXX
	nostrip
}


Thanks.  There are so many things our there that I got a little lost.  I
guess that is a problem with so many options and ways to do things.

Sorry for the resend, but wanted the same subject for threading
>

--
   Walter Reynolds
   Principle Systems Security Development Engineer
   Information Technology Central Services
   University of Michigan
   (734)615-9438



--
   Walter Reynolds
   Principle Systems Security Development Engineer
   Information Technology Central Services
   University of Michigan
   (734)615-9438