huntgroups question [unclas]

Ranner, Frank MR Frank.Ranner at defence.gov.au
Tue Nov 21 03:01:24 CET 2006


You could put your ip hosts into ldap, and use an entry in the hints 
file to look up ldap and set either the huntgroup name or the Hint 
Attribute.

hints:
DEFAULT
        Hint =
`%{ldap:ldap:///ou=hosts,dc=example,dc=com?radiusHuntgroupName?one?ipHos
tNumber=%{NAS-IP-Address}}`


users:
# check for presence in Ldap-Group matching Hint or Huntgroup with
possible sufixes
DEFAULT Hint == "", Huntgroup-Name !* Any,Auth-Type := Reject
        Reply-Message := "Unknown device, not present in any group."

DEFAULT LDAP-Group == "%{Hint:-%{Huntgroup-Name}}_munge"
        Reply-Message := "%u found in %{Hint}- We have a combined
winner!",
        Fall-Through = no

DEFAULT Hint != "", LDAP-Group == "%{Hint}_qwerty"
        Reply-Message := "%u found in %{Hint}- We have a hinted
winner!",
        Fall-Through = no

DEFAULT Huntgroup-Name =* Any, LDAP-Group == "%{Huntgroup-Name}_qwerty"
        Reply-Message := "%u found in %{Huntgroup-Name}- We have a
hunted winner!",
        Fall-Through = no

# If you don't match any of the systems, deny access
DEFAULT Auth-Type := Reject
        Reply-Message := "You are not in %{Hint:-%{Huntgroup-Name}}"


It is better to set Hint because it will be set to "" if the ldap query
returns no entry. If you 
set Huntgroup-Name the the huntfile will not be processed. Using Hint
means you can also search 
for huntgroup the old fashioned way.

Here is a device entry:

dn: cn=ps43a,ou=hosts,dc=...
objectClass: top
objectClass: device
objectClass: ipHost
objectClass: radiusprofile
cn: ps43a
radiusHuntgroupName: dsl
ipHostNumber: 192.168.40.50

All you need is 2000 more like that one!

Frank Ranner

> -----Original Message-----
> From: 
> freeradius-users-bounces+frank.ranner=defence.gov.au at lists.fre
> eradius.org 
> [mailto:freeradius-users-bounces+frank.ranner=defence.gov.au at l
> ists.freeradius.org] On Behalf Of Michael Mitchell
> Sent: Tuesday, 21 November 2006 08:49
> To: FreeRadius developers mailing list; 
> freeradius-users at lists.freeradius.org
> Subject: Re: huntgroups question
> 
> Alexandru Dincov wrote:
> > knows if there are any limitations in huntgroups size? Are 
> there other 
> > solutions to have huntgroups functionality (access control based on 
> > NAS-IP-Address or Client-IP-Address) using IP address ranges?
> 
> 
> Hi Alex,
> 
> You can do regular expression matches in the huntgroups file. 
> For example:
> 
> dial	Client-IP-Address =~ 192.168.1..*
> dsl	Client-IP-Address =~ 192.168.2..*
> 
> Maybe that can get you close to what you want?
> 
> Oh and by the way, these types of questions should be asked 
> on the FreeRADIUS Users list.
> 
> cheers,
> Mike
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 




More information about the Freeradius-Users mailing list