NAS-restricted users

brent s. bts at square-r00t.net
Wed May 9 23:06:34 CEST 2018


On 05/09/2018 04:35 PM, Alan DeKok wrote:
> On May 9, 2018, at 2:42 PM, brent s. <bts at square-r00t.net> wrote:
>> Oops, sorry - I meant the %{...} dynamic string expansions. In other
>> words, based on the above it would seem I can do this (pardon the
>> line breaking):
> 
>   The filter is expanded dynamically.  You can put anything you want in it, so long as the attribute exists.
> 
>> filter=(&(cn=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=ou=%{NAS-Identifier},ou=Groups,dc=domain,dc=tld))
>> correct?
> 
>   That should be fine.
> 
>>>> 3.) Is there a better way to do this (preferably without duplicating NAS
>>>> entries)? Ideally without using huntgroups or the like, which is how I
>>>> usually see this sort of functionality achieved.
>>>
>>>  LDAP groups are by far and away the best solution.
>>>
>>
>> Looks like groups would need to be the way to go, yeah.
>>
>> The above, if correct, would also work with dynamic-clients as well, yes?
> 
>   No.  Dynamic clients are only matched by source IP.  You can't look at the packet contents.
> 
>   That's changed in v4.  v4 supports connection-based clients.  i.e. different shared secrets for each machine behind a NAT gateway.
> 
>   v4 isn't released yet, though.  You can try it, and if it works, that's nice.  But if anything goes wrong, we still recommend using v3.
> 
>   Alan DeKok.

Thanks again, Alan. That answers all the questions I had. You've been a
big help.


-- 
brent saner
https://square-r00t.net/
GPG info: https://square-r00t.net/gpg-info

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 898 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180509/749b3530/attachment.sig>


More information about the Freeradius-Users mailing list