Hello,<div><br></div><div>I have setup freeradius with ldap lookup to authentication Cisco shell access. As if now i have 2 groups setup in the ldap database. One is for network admins who have full access to every device. The second group is for support staff that only have read access to all the devices, but within this group are some individuals who need full access to some devices. I'm trying to figure out what will be the best way to implement this? Do i create another group in ldap and make them members of that group (not sure if this will work because if one group is matched the searched will be stopped in the users file)? Do i use unlang to modify the accept-accpet based on username and NAS-ip? i trying to keep this as hands off as possible when it comes to management in the long run. If anyone has any experience dealing with such an issues, your advice will be greatly appreciated.</div>
<div><br></div><div>Thanks in advance for you help.</div><div><br></div><div>Aqdas</div>