Grouping different kinds of clients and returning different attributes
Alan DeKok
aland at deployingradius.com
Fri Feb 13 09:44:00 CET 2009
David Bailey wrote:
> The problem is that although I have some 250 client definitions in
> clients.conf, I'd rather avoid using 250 definitions in users.
>
> I'm trying to find a way to categorize the RADIUS clients into Cisco, HP,
> etc.
You could use groups. See "man rlm_passwd" for examples. You can
create groups based on any criteria. Then, just do group checking.
> What I was trying to do was to give each client a name:
>
> client Cisco_IOS.host-10.1.2.3 {
> ipaddr = 10.1.2.3
> secret = supersecret
> }
>
> client HP_Procurve.host-10.3.2.1 {
> ipaddr = 10.3.2.1
> secret = alsoverysecret
> }
One undocumented feature is that you can put *anything* into the
configuration, so long as it is the correct format:
client a {
ipaddr = 10.1.2.3
secret = foo
vendor = cisco
}
FreeRADIUS will load the "vendor" entry, but it won't do anything with
it. You can then create rules bases on that,
> And then build something to refer to them in the users file along the lines
> of:
Don't use the "users" file. See "man unlang" for a better wy.
> DEFAULT Client-Shortname =~ "Cisco_IOS.*", User-Name := "someadmin",
> Cleartext-Password := "goodpassword"
> Service-Type = NAS-Prompt-User
Don't use ":=" for User-Name. See "man users" for why.
> I'm having some problems, so I'm either missing something, or I'm going down
> an entirely wrong path. I got the "Client-Shortname" from the Run-time
> variables page in the Wiki, but I suspect it isn't evaluating like I think
> it ought to.
Try unlang:
authorize {
...
if ("%{client:vendor}" == "cisco") {
...
}
...
}
This says: look up the current client (for this request), and find the
"vendor' entry. If that is "cisco", then do... something.
It's a lot clearer to understand than the "users" file.
Alan DeKok.
More information about the Freeradius-Users
mailing list