Proxy decision based on LDAP lookups and Radius_client match.
Frank Skovboel
fs at secu.dk
Tue Nov 1 08:45:30 CET 2011
Hi Alan,
Thank you for your help, it's up and running now, I do have a few follow up questions to try and see if I can make changes to the configuration a bit more simple.
Is there a way to refer to the client shortname in the sites-enabled/default authorize section, so I only need to have the IP in one place? or even better is there a way I can group clients so I can test on the group in sites-enabled/default authorize section? .. so the only place the IP exists is in the clients.conf, and then I can group them, so I only have one if / elsif statement per company?
clients.conf
client 1.1.1.1 {
secret = mysecret
shortname = CompanyA_client1
}
client 2.2.2.2 {
secret = mysecret
shortname = CompanyA_client2
}
huntgroups file
CompanyGroupA CompanyA_client1
CompanyGroupA CompanyA_client2
sites-enabled/default
if (CompanyGroupA == Packet-Src-IP-Address) {
ldap_companyA
elseif (CompanyGroupB == Packet-Src-IP-Address) {
ldap_companyB
}
So to setup a new radius client for a customer I would only have to add the radius client, and add that radius client to the company's clients group?
> Frank Skovboel wrote:
> > Where would I place this (what file under which section?), and do I
> > need to do some thing special to make sure it does not try to
> > authenticate the user?
>
> In the "authorize" section. Look at raddb/sites-available/default.
> There are examples of using the "ldap" module.
>
> > Where can I read about the response codes that I can expect on
> > "found user" and "user not found" ?
>
> $ man unlang
>
> > "else proxy it" is that about using update control ?
>
> Yes.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
Thank you,
Frank
More information about the Freeradius-Users
mailing list