Groups of NASs by IP

Wed Nov 25 13:29:07 CET 2009

> I used to use huntgroups to do this, however recently
> discovered in the mailing list archives that the clients.conf
> file can be used to better effect with grouping:
> ----
> client 2.3.4.0/24 {
>         shortname       = switch
>         secret          = blar
> }
> client 3.4.5.0/24 {
>       shortname       = switch
>       secret          = hoot
>
>       vendor          = allied-telesis
> }
> client 1.2.3.0/28 {
>         shortname       = console
>         secret          = honk
> }
> ----
>
> Then in your virtual server you can use something like:
> ----
> authorize {
>
> ....
>
>   update request {
>       # NAS-Vendor is a local custom dict addition
>       NAS-Vendor      := "%{client:vendor}"
>       NAS-Identifier  := "%{client:shortname}"
>   }
>
> ....
>
>   files
>
> ....
>
> }
> ----
>
> Your 'users' file then has:
> ----
> DEFAULT NAS-Identifier == switch, NAS-Vendor ==
> allied-telesis, LDAP-Group == netref
>         Service-Type = Administrative-User DEFAULT
> NAS-Identifier == switch, LDAP-Group == netref
>         Service-Type = NAS-Prompt-User, Cisco-AVPair =
> "shell:priv-lvl=15"
> DEFAULT NAS-Identifier == switch, Auth-Type := Reject
> ----
>
> You can actually add *anything* to the client subsections
> ('shortname'
> and 'secret' are the only FreeRADIUS variables in there, the 'vendor'
> bit is not known to FreeRADIUS) and FreeRADIUS will simply
> ignore it but it is accessible via '%{client:NAME}'.
>
> The advantage with this approach is that you are doing the
> NAS grouping in the clients.conf file rather than potentially
> duplicating it in the 'hints' and/or huntgroups file.
>
> Cheers
>

Many many thanks for this. Strangely enough, I already have the major groups in clients.conf for other reasons and the ultimate goal is to control logins on our cisco infrastructure and thus retire ACS. You've given me a lot of help.
Thanks,

Leighton

---
This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability.