Assigning Users to Groups Dynamically

J Kephart jkephart at safetynetaccess.com
Wed Dec 16 22:23:11 CET 2015


Hi!

I've been looking through the wiki, but thus far, I've not found
anything that describes what I'd like to be able to do.

We manage on-site hardware for our clients, and that hardware includes
routers, gateways, switches, etc.  What I'd like to be able to do is
assign a user to a group dynamically, based on some identifying
parameter received in the access request, and then have the group's
attributes passed back in the access accept packet. 

So, for example, if any user wants to connect to Vendor A's gateway, we
might have a group defined for that type of device containing:

vendor_a_gateway    Idle-Timeout    =    900
vendor_a_gateway    VSA_1           =    xxx
vendor_a_gateway    VSA_2           =    xxx
vendor_a_gateway    VSA_3           =    xxx

Likewise, for Vendor B, we might have the following:

vendor_b_switch     Idle-Timeout    =    600
vendor_b_switch     VSA_1           =    xxx
vendor_b_switch     VSA_2           =    xxx
vendor_b_switch     VSA_3           =    xxx

Ultimately, then, if a user logs on to a device that we can categorize
as being Vendor A's gateway, we'd automatically associate that user with
the group "vendor_a_gateway", and so on.  In that way, we hope to limit
the number of attributes we need to manage for each user, instead having
a short list of groups with attributes that can be assigned on the fly.

I don't know if I've explained this in a way that makes sense (I hope it
makes sense to someone!), but I wonder if there's a way to do what I've
described.

Hopefully,

Jim


More information about the Freeradius-Users mailing list