Where do you split users in groups.

jan hugo prins jhp at jhprins.org
Wed Mar 4 21:34:05 CET 2015 

Hello,

Until yesterday I did not need huntgroups in my radius config because I
had basicly only one usage and this was wireless access.
We are now implementing 802.1x on the wired network as well, and now we
need to split between wireless access and wired access and I have
started using huntgroups to do the basic selection when selecting what I
have to send back to the user.

A part of my users file looks like this:

DEFAULT ldap_bedrijf1-Ldap-Group == "werkneme-bedrijf1", Realm ==
"bedrijf1.com", Huntgroup-Name == "wireless"
        Aruba-User-Vlan = 101,
        Aruba-User-Role = "authenticated"

DEFAULT ldap_bedrijf1-Ldap-Group == "wireless-bedrijf1", Realm ==
"bedrijf1.com", Huntgroup-Name == "wireless"
        Aruba-User-Vlan = 2261,
        Aruba-User-Role = "guest"

DEFAULT ldap_bedrijf2s-Ldap-Group == "bedrijf2", Realm == "bedrijf2.nl",
Huntgroup-Name == "wireless"
        Aruba-User-Vlan = 2268,
        Aruba-User-Role = "authenticated"

DEFAULT ldap_bedrijf3-Ldap-Group == "bedrijf3", Realm == "bedrijf3.nl",
Huntgroup-Name == "wireless"
        Aruba-User-Vlan = 2266,
        Aruba-User-Role = "authenticated"

DEFAULT ldap_bedrijf1-Ldap-Group == "bedrijf1", Realm == "bedrijf1.com",
Huntgroup-Name == "wireless", Auth-Type := Reject
        Reply-Message = "Your account does not have wireless access."

DEFAULT FreeRADIUS-Proxied-To == "127.0.0.1", Auth-Type := Reject
        Reply-Message = "Who are you?"

In the huntgroup file I match the Aruba controllers to the wireless
huntgroup.

I read in the huntgroup file that you can create a huntgroup that is
based on both the NAS-IP and the Unix group. I don't know if you can
also match a LDAP group in the huntgroups file, but if this is possible
I could create something like this:

werknemers        NAS-IP-Address = 172.30.27.1
                            ldap_bedrijf1-Ldap-Group == "werkneme-bedrijf1"

And then in the users file do something like:

DEFAULT Realm == "bedrijf1.com", Huntgroup-Name == "werknemers"
        Aruba-User-Vlan = 101,
        Aruba-User-Role = "authenticated"

If both is valid, what is the preferred way of doing this?

Jan Hugo Prins

More information about the Freeradius-Users mailing list