Huntgroup-Name vs client:group
Óscar Remírez de Ganuza Satrústegui
oscarrdg at unav.es
Fri Oct 30 17:13:54 CET 2015
Good afternoon,
We are migrating previous radius (2.1.9) authentication to a new instance
of freeradius (3.0.10).
We are moving two different configurations to a single radius.
As we are supporting AAA from diferent services, we are using
Huntgroup-Name attribute to separate the authorization.
if ( Huntgroup-Name == 'Wireless' ) {
if ( Ldap-Group == "unav.wireless.1" ) {
update reply {
...
}
}
...
}
elsif ( Huntgroup-Name == 'Wired' ) {
if ( Ldap-Group == "unav.wired.1" ) {
...
}
....
}
We are doing it even on the inner-tunnel; using copy_request_to_tunnel, and
with module preprocess on the inner-tunnel.
It is working ok.
But I have just found a previous suggestion on this list [1] in which it is
suggested to check "client:group" instead of huntgroup-name:
*"do policy checking via %{client:group} instead of Huntgroup-Name. It
will do the same thing, and will be *enormously* faster."*
In our particular setting, we have around 7 huntgroups for a total of 20
NAS-Clients. And we receive 20 different Access Requests per second on top
moments.
In our case, do you think that we are also going to experience a much
better performance using client:group instead of huntgroup-name?
I had been looking for information on client:group, but I could not find a
lot of it. [2]
Thank you very much for your help.
Regards,
[1]
http://lists.freeradius.org/pipermail/freeradius-users/2014-February/070431.html
[2]
https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/clients.conf
*Oscar Remírez de Ganuza Satrústegui*
IT Services
Universidad de Navarra
Tel. +34 948425600 x803130
http://www.unav.edu/web/it/
More information about the Freeradius-Users
mailing list