Michał Dopierała wrote:
It is possible in freeradius to have one user who has full privilege level to one equipment (one cisco router privilege lvl15), and limited privilege level to other equipment (other router with smaller privilege e.g. lvl10 which will be configured on router)?
Yes.
How to separate it?
How are the requests different? Use that information to separate the policies for the two routers.
My current configuration of users:
mdopierala Auth-Type := PAP, Crypt-Password = "passwrd"
DON'T set Auth-Type. Honestly. This should be written in huge letters everywhere on all of the documentation.
Service-Type = "Administrative-User", Cisco-AVPair="shell:priv-lvl=15", Brocade-Auth-Role ="Administrator"
And it doesn't contain any *conditional* checks for different clients. You could do: mdopierala Packet-Src-IP-Address == 192.168.1.1, Cleartext-Password := ... ... i.e. check for NAS IP, and return different results based on that. Alan DeKok.