Device specific Access-Accept attributes and granular user group control
Peter Lambrechtsen
plambrechtsen at gmail.com
Fri Feb 5 00:58:05 CET 2010
This is how I did it using LDAP.
http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-November/msg00001.html
I would recommend using LDAP over MySQL, as normally you would have a
Corporate LDAP directory (Active Directory, or eDirectory or similar) and
managing access to your Radius system from Groups based in the LDAP is a
little easier than messing around with your MySQL database.
But that's just me.
On Fri, Feb 5, 2010 at 12:45 PM, Matt Hite <lists at beatmixed.com> wrote:
> Hello --
>
> I am running freeradius2-2.1.7 with MySQL as the backend datastore.
>
> I've got a deployment up and running supporting the admin login to
> about 200 switches from a single vendor. I'm looking to expand my
> deployment and thus some new requirements have surfaced.
>
> Requirements:
>
> - Different brands of gear should get different VSAs and/or general
> attributes returned in Access-Accept messages. For example, if I log
> in from a Cisco device, I should get a different RADIUS attribute sent
> back than when logging in from a F5 or a NetScreen.
>
> - Some users can log into certain groups of devices, others should not
> be able to
>
> I'm fairly certain the #2 requirement will require the user of
> huntgroups. Does anyone have any idea how to accomplish requirement
> #1?
>
> Thanks for your help in pointing me in the right direction.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100205/2c8fd271/attachment.html>
More information about the Freeradius-Users
mailing list