Restricting access to a NAS
Min Qiu
mqiu at globalinternetworking.com
Tue Jan 24 18:35:52 CET 2006
I'm able to make it work by using huntgroups
admin NAS-IP-address =~ "^10\.1\.2\." # thanks a lot to Bjørn
User-Name = admin1,
User-Name = admin2,
...
...
and users
admin1 Auth-Type := Local, User-Password == "secret", Huntgroup-Name == "admin"
...
I would asume that add a huntgroup in the check line would be
the same with database backend. Can you post your solution once
you make it work?
Thanks,
Min
-----Original Message-----
From: freeradius-users-bounces+mqiu=globalinternetworking.com at lists.freeradius.org on behalf of Lewis Bergman
Sent: Tue 1/24/2006 12:01 PM
To: FreeRadius users mailing list
Subject: Re: Restricting access to a NAS
Laker Netman wrote:
> I have a Cisco 3660 router configured for dialup AAA
> through FR (1.0.5) to access our LAN. I also have the
> login to the router itself, for admin, authenticating
> through FR (MySQL backend).
> The same DB is used for all auth, so currently anyone
> with a dialup account could also telnet into the
> router. This leaves only my 'enable' password to
> prevent problems.
> I want to configure FR to eliminate this ability for
> all but a select group of users (admins). There are
> other devices I would like to add to the list later.
> I've been looking at huntgroups as the solution, but
> was unsure how (or if) this could be handled via sql
> rather than the users file.
>
> Is anyone doing this and could provide a sample config
> layout?
>
I am not currently doing this but plan to tackle it by using something
like a realm of admin when I do get to it. So a user needing admin privs
would have to log in like user at admin.user to get access.
--
Lewis Bergman
Texas Communications
4309 Maple St.
Abilene, TX 79602-8044
Off. 325-691-1301
Cell 325-439-0533
fax 325-695-6841
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list