Private attribute assigned in clients.conf and checked in huntgroups ?

Fred MAISON fred.maison at gmail.com
Mon May 3 19:02:29 CEST 2010


Hello freeradius-users,

In many cases, when there is no attributes in request to differenciate
the kind of NAS and if we need to build a reply with NAS-Dependant
(AVPAIR) attributes, the only solution is to affect the huntgroup by
checking again the NAS-IP-Address in preprocessing.

I would like to know if there is anyway to create a private attribute in
clients.conf to assign NAS type for Huntgroup selection ?

I made some checks but My-Nas-Type variable does not seems to be
accessible from within huntgroups as a checkItem.

As we have to manage more than 1000 various NAS, the idea is to have a
configured value in clients.conf to distinguish between different
kinds/manufacturers/models of NAS, to avoid later NAS-IP-Address check
again (it's already done in clients.conf) in Huntgroups, and to be able
to assign the HuntGroup by testing this private attribute.


For example :
dictionnary :
ATTRIBUTE	My-Nas-Type	3000	string

clients.conf :

client c1 {
	ipaddress = 10.1.1.1
	My-Nas-Type	= cisco
	nastype = cisco
}
client c2 {
	ipaddress = 10.1.1.2
	My-Nas-Type = cisco
	nastype = cisco
}
client c3 {
	ipaddress = 10.2.2.2
	My-Nas-Type = netscreen
	nastype = other
}
client c4 {
	ipaddress = 10.3.3.3
	My-Nas-Type = provider1
	nastype = other
}


huntgroups : 

cisco		Service-Type == Login-User, My-Nas-Type == "cisco"
netscreen	Service-Type == Login-User, My-Nas-Type == netscreen
provider1	Service-Type == Login-User, My-Nas-Type == "provider1"

ciscoByIP	NAS-IP-Address == 10.1.1.1, Service-Type == Login-User
ciscoByIP	NAS-IP-Address == 10.1.1.2, Service-Type == Login-User
netscreenByIP	NAS-IP-Address == 10.2.2.2, Service-Type == Login-User
p1ByIP		NAS-IP-Address == 10.3.3.3, Service-Type == Login-User
....

users : 

DEFAULT Huntgroup-Name == ciscogrp, Ldap-Group == "CiscoRW"
	Cisco-AVPair := "shell:priv-lvl=15"
DEFAULT Huntgroup-Name == netscreen Ldap-Group == "All-Admin-RW"
	NS-Admin-Privilege = "All-VSYS-Root-Admin"
DEFAULT Huntgroup-Name == provider1 Ldap-Group == "P1RW"
#Old config
DEFAULT Huntgroup-Name == ciscoByIP, Ldap-Group == "CiscoRW"
DEFAULT Huntgroup-Name == netscreenByIP, Ldap-Group == "All-Admin-RW"
DEFAULT Huntgroup-Name == p1ByIP, Ldap-Group == "P1RW"





More information about the Freeradius-Users mailing list