Setting internal attributes per client
Alan DeKok
aland at deployingradius.com
Mon Oct 30 02:04:29 CET 2017
On Oct 29, 2017, at 8:54 PM, Nathan Ward <lists+freeradius at daork.net> wrote:
> Right now I have some policies that match request:NAS-IP-Address against a list of IPs. It’s a bit annoying to have to add clients in clients.conf and in the policy config. Manageable sure, but, I’m wondering if there’s a better way.
>
> Is there a way to have some sort of per-client policy, other than matching NAS-IP-Address or similar? Can I look at shortname as configured in clients.conf (I could add tokens to this, for example, ‘iosxrbng_<original hostname>’.
There's no real way to do this unfortunately.
The usual way is to put clients into groups, and then return attributes based on that.
> It occurred to me that a useful thing would be setting attributes in clients.conf, i.e.:
>
> client example.org {
> ipaddr = radius.example.org
> secret = testing123
> Tmp-String-0 = BNGFlavourPurple
> }
>
> Maybe. :-)
Almost:
client example.org {
ipaddr = radius.example.org
secret = testing123
mygroup = "cisco"
}
And then:
authorize {
...
if ("%{client:mygroup}" == "cisco") {
... add reply attributes ...
}
...
}
Not quite perfect, but it does work.
Alan DeKok.
More information about the Freeradius-Users
mailing list