Default Authentication
tnt at kalik.co.yu
tnt at kalik.co.yu
Fri May 4 11:00:20 CEST 2007
Yes, they can. They are not restricted in any way. Group fw-group is
restricted only to 10.0.0.1 and 10.0.0.2. If you want to stop other
groups from logging in there make huntgroups like this:
fw-pix NAS-IP-Address == 10.0.0.1
Group = fw-group
fw-pix NAS-IP-Address == 10.0.0.2
Group = fw-group
Router groups will then be able to login elsewhere but not on 1.0.0.1 and
10.0.0.2
Ivan Kalik
Kalik Informatika ISP
Dana 4/5/2007, "Norman Zhang" <norman.zhang at gmail.com> piše:
>Alan DeKok wrote:
>> If you want only groups A and B to log in, do:
>>
>> DEFAULT Group == A, Auth-Type = System
>> ...
>>
>> DEFAULT Group == B, Auth-Type = System
>> ...
>>
>> DEFAULT Auth-Type := Reject
>
>Thanks. Here's what I done.
>
>DEFAULT Group == router-ro, Auth-Type = System
> Service-Type = NAS-Prompt-User,
> cisco-avpair := "shell:priv-lvl=7"
>
>DEFAULT Group == router-rw, Auth-Type = System
> Service-Type = NAS-Prompt-User,
> cisco-avpair := "shell:priv-lvl=15"
>
>but I can't get restriction for another group "fw-group" to work.
>
>*added to users*
>DEFAULT Group == fw-group, Auth-Type = System
> Huntgroup-Name == "fw-pix",
> Service-Type = NAS-Prompt-User,
> cisco-avpair := "shell:priv-lvl=15"
>
>*added to huntgroups*
>fw-pix NAS-IP-Address == 10.0.0.1
>fw-pix NAS-IP-Address == 10.0.0.2
>
>Group "router-ro" and "router-rw" still can login to the PIX. Can you
>give me few more pointers?
>
>Norman
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
More information about the Freeradius-Users
mailing list