Matt Hite wrote:
- Different brands of gear should get different VSAs and/or general attributes returned in Access-Accept messages. For example, if I log in from a Cisco device, I should get a different RADIUS attribute sent back than when logging in from a F5 or a NetScreen.
It's not well known, but the configuration files can be used as a simple database. Any "well formed" text will be accepted, and can be lookup up later. e.g.: client foo { ipaddr = ... secret = ... myfield = cisco .. } Then when processing a packet: if ("%{client:myfield}" == "cisco") { ... } You can define your own data, and put each device into it's own "group", simply by adding a field to each "client" entry. Then, return the appropriate attributes for each type of client.
- Some users can log into certain groups of devices, others should not be able to
Use the same thing, but also using "groups" for the users. client foo { ... class = foo } Then in a processing section (authorize, etc.) if ((Group == "limited") && ("%{client:class}" != "foo")) { reject } If you don't want "unix" groups, see "man rlm_passwd". Alan DeKok.