Geoff Silver wrote:
DEFAULT My-Group != "known", Auth-Type := Reject
DEFAULT Auth-Type:=Accept, Huntgroup-Name=="Office", Hint==Port-1812 Connect-Info="OFFICE_NET" DEFAULT Huntgroup-Name=="Office", Hint==Port-1645, Proxy-To-Realm := PROXY_GW Connect-Info="OFFICE_NET"
That will work for the simple case I provided, but my users file is actually a bit more complicated. There are multiple NAS-IP-Address and/or Huntgroups available, and not all users have access to all of them. The only thing guaranteed is that any user who *has* an entry actually has two, one with a Hint==Port-1645 and the other with Hint--Port-1812.
Perhaps a better users file example would be:
user01 Auth-Type:=Accept, NAS-IP-Address==10.1.2.3, Hint==Port-1812 user01 Auth-Type:=Accept, NAS-IP-Address==10.1.2.4, Hint==Port-1812 user01 NAS-IP-Address==10.1.2.3, Hint==Port-1645, Proxy-To-Realm:=PROXY_GW user02 Auth-Type:=Accept, NAS-IP-Address==10.1.2.3, Hint==Port-1812 user03 NAS-IP-Address==10.1.2.4, Hint==Port-1645, Proxy-To-Realm:=PROXY_GW
Additionally, none of these folks have (or can have) /etc/passwd accounts on this system, so I'm not sure that rlm_passwd will work for me necessarily (plus, we're back to the "not every user has access to every NAS/Huntgroup" problem).
rlm_passwd would be better named "rlm_lookup" or "rlm_mapping" or "rlm_keyval". I use it very successfully after a hint from Alan to cut down combinatorial explosion: modules { passwd nas2kind { file = /etc/raddb/nas2kind format = "*NAS-IP-Address:~NasKind" } passwd user2group { file = /etc/raddb/user2group format = "*User-Name:~Group" } } authorize { preprocess nas2kind user2group users } /etc/nas2kind: 10.1.2.3:type1 10.1.2.4:type2 /etc/user2group: user01:nasgroup1-p1812 user01:nasgroup2-p1812 user01:nasgroup1 user02:nasgroup1-p1812 user03:nasgroup2-p1812 /etc/raddb/users: # Skip unknown users DEFAULT Group !* ANY, Auth-Type := Reject DEFAULT Group=="nasgroup1-p1812", NasKind=="type1", Hint==Port-1812, Auth-Type := Accept DEFAULT Group=="nasgroup2-p1812", NasKind=="type2", Hint==Port-1812, Auth-Type := Accept DEFAULT Group=="nasgroup1", NasKind=="type1", Hint==Port-1645, Proxy-To-Realm := PROXY_GW DEFAULT Group=="nasgroup2", NasKind=="type2", Hint==Port-1645, Proxy-To-Realm := PROXY_GW Hopefully that's clear. Note that the passwd instances are defined to add the values to the request (because it's hard to match on == for config/reply items in users) so you'll need to make sure those value names are in a local dictionary somewhere. Note also that the above is a literal translation of your most recent email - I believe in your original email you matched on Huntgroup-Name, in which case you can skip the NasKind mapping and simplify things somewhat.