On Tue, May 10, 2011 at 01:59:44PM -0300, Marcos TP wrote:
Huntgroups I know, but the functionality it provides me not for me. I need the user only has permission to access a NAS, as much as I could with Huntgroups was to restrict the access group, because several groups have access, containing their speed and can not do the search for access group, but by concentrator.
Read the "unlang" documentation; then add some logic in the "authorize" section of your server config. You don't even need huntgroups if you're just authorizing a single NAS-IP-Address: if ("%{control:Permitted-NAS}" && "%{control:Permitted-NAS}" != NAS-IP-Address) { reject } However I'd suggest you use huntgroups for greater flexibility. if ("%{control:Permitted-Huntgroup}" && "%{control:Permitted-Huntgroup}" != Huntgroup-Name) { reject } Using this approach, you'd need to add a new attribute in your dictionary, such as "Permitted-NAS" and "Permitted-Huntgroup" in the examples above (I just picked these at random) Then in the radcheck table for the user, set the control attribute: Permitted-NAS := 1.2.3.4 That's one way to do it anyway.
I think the lock should be in the Login table, where I have a field to indicate which NAS that User has access.
Ah, well if you have a custom schema, then you need to show the schema. If you have a "users" table and you do a join to select the radcheck attributes, then you could just change the query you're using, limiting it to only matching the expected NAS-IP-Address or Huntgroup-Name: ... AND (permitted_nas = '%{NAS-IP-Address}' OR permitted_nas IS NULL) alternatively: ... AND (permitted_huntgroup = '%{Huntgroup-Name}' OR permitted_huntgroup IS NULL) Regards, Brian.