I'm able to make it work by using huntgroups admin NAS-IP-address =~ "^10\.1\.2\." # thanks a lot to Bjørn User-Name = admin1, User-Name = admin2, ... ... and users admin1 Auth-Type := Local, User-Password == "secret", Huntgroup-Name == "admin" ... I would asume that add a huntgroup in the check line would be the same with database backend. Can you post your solution once you make it work? Thanks, Min -----Original Message----- From: freeradius-users-bounces+mqiu=globalinternetworking.com@lists.freeradius.org on behalf of Lewis Bergman Sent: Tue 1/24/2006 12:01 PM To: FreeRadius users mailing list Subject: Re: Restricting access to a NAS Laker Netman wrote:
I have a Cisco 3660 router configured for dialup AAA through FR (1.0.5) to access our LAN. I also have the login to the router itself, for admin, authenticating through FR (MySQL backend). The same DB is used for all auth, so currently anyone with a dialup account could also telnet into the router. This leaves only my 'enable' password to prevent problems. I want to configure FR to eliminate this ability for all but a select group of users (admins). There are other devices I would like to add to the list later. I've been looking at huntgroups as the solution, but was unsure how (or if) this could be handled via sql rather than the users file.
Is anyone doing this and could provide a sample config layout?
I am not currently doing this but plan to tackle it by using something like a realm of admin when I do get to it. So a user needing admin privs would have to log in like user@admin.user to get access. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html