Hello all. First off here's what I want to accomplish in the end. Use LDAP as the backend to store all user information including radius attributes, shell info and access to specific devices in specific locations. For example, Johnny needs access to all linux boxes in Atlanta and priv-level 15 on cisco routers in Denver. Fred needs read/write access to all packet shappers in Denver and read only to all cisco devices in Atlanta and Denver. You get the picture. I've setup a test server following the document in /opt/freeradius/share/doc/freeradius/ldap_howto.txt without much difficulty. This method does a good job of allowing only certain groups to access certain devices without messing with the huntgroups. Here's the problem. When a user logs in and is a member of more than one group radius only uses the first one to match. I've included the users file below. For example, if the user is a member of the cisco group and the packeteer group only the packeteer group information gets passed back because it is found before the cisco group. Is there a way to say that the request is from a Cisco box so only look for the user in the cisco group? If the user is then found in that group then pass back the correct attributes from their profile. I know I would have to define what a "cisco box" is, probably by IP. Please let me know if this is even possible and if so provide an example. If it is not possible please provide some direction on how to go about doing this. Freeradius 1.1.7 *_Users file_* DEFAULT Ldap-Group == acct_disabled, Auth-Type := Reject Reply-Message = "Account disabled. Please call the helpdesk." DEFAULT Ldap-Group == packeteer_read_only,User-Profile := "uid=packeteer_read_only,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP Fall-Through = no DEFAULT Ldap-Group == Packeteer,User-Profile := "uid=Packeteer,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP Fall-Through = no DEFAULT Ldap-Group == netscreen,User-Profile := "uid=netscreen,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP Fall-Through = no DEFAULT Ldap-Group == cisco_priv_15,User-Profile := "uid=cisco_priv_15,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP Fall-Through = no DEFAULT Ldap-Group == cisco_priv_1,User-Profile := "uid=cisco_priv_1,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP Fall-Through = no DEFAULT Ldap-Group == netscreen,User-Profile := "uid=netscreen,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP DEFAULT Auth-Type := Reject Reply-Message = "Please call the helpdesk." DEFAULT Auth-Type = System fall-Through = 1 Radiusd.conf ldap section ldap { server = "localhost" identity = "cn=Manager,dc=csctus,dc=net" password = xxxxxxx basedn = "ou=users,ou=radius,dc=csctus,dc=net" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections #start_tls = yes # tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" #default_profile = "uid=Packeteer,ou=profiles,ou=radius,dc=csctus,dc=net" #profile_attribute = "radiusProfileDn" #access_attr = "DialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 ldap_cache_timeout = 120 ldap_cache_size = 0 ldap_connections_number = 10 # # NOTICE: The password_header directive is NOT case insensitive # # password_header = "{clear}" # # Set: # password_attribute = nspmPassword # # to get the user's password from a Novell eDirectory # backend. This will work *only if* freeRADIUS is # configured to build with --with-edir option. # # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with "0x", such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading "0x", NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # password_attribute = userPassword # # Un-comment the following to disable Novell eDirectory account # policy check and intruder detection. This will work *only if* # FreeRADIUS is configured to build with --with-edir option. # edir_account_policy_check=no # groupname_attribute = radiusGroupName #groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" groupmembership_filter = (&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile)) groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes # # By default, if the packet contains a User-Password, # and no other module is configured to handle the # authentication, the LDAP module sets itself to do # LDAP bind for authentication. # # You can disable this behavior by setting the following # configuration entry to "no". # # allowed values: {no, yes} # set_auth_type = yes } dn: dc=csctus,dc=net objectClass: dcObject objectClass: organizationUnit ou: csctus.net Radius dc: csctus dn: ou=radius,dc=csctus,dc=net objectclass: organizationalunit ou: radius dn: ou=profiles,ou=radius,dc=csctus,dc=net objectclass: organizationalunit ou: profiles dn: ou=users,ou=radius,dc=csctus,dc=net objectclass: organizationalunit ou: users dn: ou=admins,ou=radius,dc=csctus,dc=net objectclass: organizationalunit ou: admins dn: uid=dial,ou=profiles,ou=radius,dc=csctus,dc=net objectclass: radiusprofile uid: dial radiusServiceType: Framed-User radiusFramedProtocol: PPP radiusFramedIPNetmask: 255.255.255.0 radiusFramedRouting: None dn: uid=cisco,ou=profiles,ou=radius,dc=csctus,dc=net objectclass: radiusprofile uid: cisco radiusReplyItem: Cisco-AVPair ="priv-lvl=15" dn: uid=packeteer,ou=profiles,ou=radius,dc=csctus,dc=net objectclass: radiusprofile uid: packeteer radiusReplyItem: Packeteer-AVPair = "access=touch" dn: uid=isdn,ou=profiles,ou=radius,dc=csctus,dc=net objectclass: radiusprofile uid: isdn radiusServiceType: Framed-User radiusFramedProtocol: PPP radiusFramedIPNetmask: 255.255.255.0 radiusFramedRouting: None dn: uid=example,ou=users,ou=radius,dc=csctus,dc=net objectclass: radiusProfile uid: example userPassword: test radiusGroupName: dial radiusGroupName: isdn dn: uid=bevege,ou=users,ou=radius,dc=csctus,dc=net radiusGroupName: cisco_priv_15 radiusGroupName: Packeteer objectClass: radiusprofile uid: bevege userPassword: {MD5}xxxxxxxxx dn: cn=freeradius,ou=admins,ou=radius,dc=csctus,dc=net objectclass: person sn: freeradius cn: freeradius userPassword: freeradius dn: cn=billing,ou=admins,ou=radius,dc=csctus,dc=net objectclass: person sn: billing cn: billing userPassword: billing dn: cn=replica,ou=admins,ou=radius,dc=csctus,dc=net objectclass: person sn: replica cn: replica userPassword: replica Thanks, BE