Yes, they can. They are not restricted in any way. Group fw-group is restricted only to 10.0.0.1 and 10.0.0.2. If you want to stop other groups from logging in there make huntgroups like this: fw-pix NAS-IP-Address == 10.0.0.1 Group = fw-group fw-pix NAS-IP-Address == 10.0.0.2 Group = fw-group Router groups will then be able to login elsewhere but not on 1.0.0.1 and 10.0.0.2 Ivan Kalik Kalik Informatika ISP Dana 4/5/2007, "Norman Zhang" <norman.zhang@gmail.com> piše:
Alan DeKok wrote:
If you want only groups A and B to log in, do:
DEFAULT Group == A, Auth-Type = System ...
DEFAULT Group == B, Auth-Type = System ...
DEFAULT Auth-Type := Reject
Thanks. Here's what I done.
DEFAULT Group == router-ro, Auth-Type = System Service-Type = NAS-Prompt-User, cisco-avpair := "shell:priv-lvl=7"
DEFAULT Group == router-rw, Auth-Type = System Service-Type = NAS-Prompt-User, cisco-avpair := "shell:priv-lvl=15"
but I can't get restriction for another group "fw-group" to work.
*added to users* DEFAULT Group == fw-group, Auth-Type = System Huntgroup-Name == "fw-pix", Service-Type = NAS-Prompt-User, cisco-avpair := "shell:priv-lvl=15"
*added to huntgroups* fw-pix NAS-IP-Address == 10.0.0.1 fw-pix NAS-IP-Address == 10.0.0.2
Group "router-ro" and "router-rw" still can login to the PIX. Can you give me few more pointers?
Norman
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html