Specific, complicated, detailed user rights possibility?

Alan DeKok aland at deployingradius.com
Thu Aug 27 16:14:41 CEST 2015


On Aug 27, 2015, at 9:46 AM, Mart Pirita <mart at e-positive.ee> wrote:
> But we need more detailed setup, for example, the idea is to allow user1 access some switches and disable user1 to access some other switches. And then even more specific rights, for example, switches which user1 can access, he have some switch with read-only and some other switch with read-write rights.

  In general, data goes into databases, and policy rules go into the FreeRADIUS config.

  You should put all of these restrictions into an LDAP schema, and then use FreeRADIUS to query that.

> And do it with groups, not using different configuration for every user, for example, so that users are listed in as groups, and these groups are used in access configurations?

  If it's simple, you can put the devices into hunt groups, and the users into ldap groups.

  If it's more complex... there's no simple solution.

> Huntgroups may be the solution, but as far I know, huntgroups are for device, and not for user rights. Also I don't know, can one and same device IP exist in many different huntgroups and can one huntgroup include other huntgroups?

  You can't put hunt groups into other hunt groups.

  Alan DeKok.




More information about the Freeradius-Users mailing list