Devices in more than one huntgroup

Jan.Gnepper at t-systems.com Jan.Gnepper at t-systems.com
Mon Aug 8 09:21:23 CEST 2011


Hi,

I have a little problem with devices in multiple huntgroups.
By now i kno that this is not possible (rtfm helped ;-)

What i wanted to do is the following:

Two Teams, but with diffenrent rights.

Users:
====================
DEFAULT Auth-Type := LDAP, Huntgroup-Name == "nexus", LDAP-Group == "<Team-1-Group>"
        Login-Service = Telnet,
        Cisco-AVPair = "shell:roles*\"network-admin\" \"vdc-admin\""

DEFAULT Auth-Type := LDAP, Huntgroup-Name == "readonly-nexus", LDAP-Group == "<Team-2-Group>"
        Login-Service = Telnet,
        Cisco-AVPair = "shell:roles*\"network-operator\" \"vdc-operator\""

Huntgroups:
====================
readonly-nexus NAS-IP-Address == 192.168.11.123
Nexus              NAS-IP-Address == 192.168.11.123


Since only the first match within the huntgroups is checked, team-2 always gets "access-reject".


For checking only the NAS-IP-Adress makes sense in our environment.
I already found a hint to use rlm-passwd, but i can´t get this run.

So i tried the following:

=======================
Users:
DEFAULT Auth-Type := LDAP, Huntgroup-Name == "nexus", My-Device-Group "Nexus-readonly", LDAP-Group == "<Team-2-Group>"
        Login-Service = Telnet,
        Cisco-AVPair = "shell:roles*\"network-operator\" \"vdc-operator\""

modules/passwd:
passwd Groups_local {
        filename = /etc/raddb/groups_local
        format = "My-Device-Group:*NAS-IP-Address"
        hashsize = 50
        ignorenislike = no
        allowmultiplekeys = no
        delimiter = ":"
}

groups_local:
Nexus-readonly:192.168.11.123

dictionary:
ATTRIBUTE       My-Device-Group         3000    string

=======================

Groups_local was placed in authorize section, after preprocess.

Debug shows:

Ready to process requests.
rad_recv: Access-Request packet from host 192.168.11.123 port 48910, id=20, length=62
        User-Name = "test"
        User-Password = "test"
        NAS-Port-Type = Virtual
        NAS-Port = 3000
        NAS-IP-Address = 192.168.11.123
+- entering group authorize {...}
++[preprocess] returns ok
++[groups_local] returns notfound

Any Idea?
Or is there a big bug in my config (and my mind)?
Thanks!

Jan


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110808/2087f93d/attachment.html>


More information about the Freeradius-Users mailing list