Example listed in huntgroup file does not work

tnt at kalik.co.yu tnt at kalik.co.yu
Thu Dec 13 16:24:25 CET 2007


Dana 13/12/2007, "Reynolds, Walter" <waltr at umich.edu> piše:

>
>I am looking at that option, but I should not have to.  Per the
>huntgroups file:
>
>"#               This file can also be used to define restricted access
>#               to certain huntgroups. The second and following lines
>#               define the access restrictions (based on username and
>#               UNIX usergroup) for the huntgroup.
>#"
>
>
>So I can create a huntgroup with multiple Nas, but the 'second and
>following lines' are only recognized by the last entry in the huntgroup.
>So If I go with groups, I should be able to add the following: (can
>someone tell me if this is the write syntax, or do I still have to add
>something to the dictionary.... have to leave right now to catch a
>flight.  Thanks)
>
>File radiusd.conf
>
>        passwd etc_group {
>               filename = /usr/local/ett/raddb/grouplist
>               format = "=Group-Name:*,User-Name"
>               hashsize = 50
>               ignorenislike = yes
>               allowmultiplekeys = yes
>               delimiter = ":"
>        }
>

Yes, you can create groups through files with rlm_passwd module.

>File huntgroups:
>
>Limit1         NAS-IP-Address == 192.168.2.5
>Limit1         NAS-IP-Address == 192.168.2.6
>			Group-Name == datacenter
>---

That's not going to work for the same reason as the list of usernames.
It is listed only for the last entry. You don't seem to comprehend that
it's totally irrelevant do the entries have same or different names
*inside* the huntgroups file. Grouping (giving entries the same name)
only has such effect *outside* the huntgroups file when you use
Huntgroup-Name attribute.

To save you some bother - don't group datacenter users. You don't want
to tie users to certain devices, you want to prevent some others to gain
access to those devices. Entry like this in users file will do that:

DEFAULT   Group-Name == nopasaran, Huntgroup-Name == Limit1, Auth-Type :=
Reject

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list