NAS-Group? - different replies to different NASes?
Ivan Kalik
tnt at kalik.net
Tue Feb 26 15:21:50 CET 2008
>I think I might have another issue, as per the documentation the first item
>to be checked is the radcheck table for any attributes. Since my user
>exists in there I don't think the request will fall through to the
>radgroupcheck table anymore.
>
It will. In 2.x groups are handled properly in sql and you can separate
groups on bases of NAS-IP-Address.
>The issue becomes more complicated since I want to send the LAC a different
>response, on the same user, than my LNS.
>
So configure the replies in radgroupreply.
>What if I add another column in the radcheck table that is called
>"NAS-Group" for example. Then modify the sql.conf (I suspect a SQL
>statement in there) to do a check against that new field for allowing
>authentications?
>Also, if at the same time I add a new column in Radcheckgroup (or maybe in
>the nas table) that has the same field name as the "NAS-Group" above and in
>there I assign each LNS/LAC a NAS-Group Identifier?
>
>Will that even be remotely possible?
>
Not like that. Since NAS-Group is not in the request how are you going to
check it? You can check (a single) NAS-IP-Address that way. But there is
no dire need to do that since you can check it as an attribute.
If there are multiple addresses you will need to use regexp or huntgroups.
>Remember, my original problem is that I need to send the Telco's Proxy
>Radius (based on an individual user) a specific set of attributes that will
>be passed on to their LAC.
What? Tunnel attributes are going to be different for each user? Can you
explain in more detail how is that suposed to work.
Ivan Kalik
Kalik Informatika ISP
More information about the Freeradius-Users
mailing list