On 7 Mar 2011, at 22:14, Alexander Clouter wrote:
Guy <guy@britewhite.net> wrote:
I now have FreeRadius granting access and using LDAP for username and password information.
My next challenge, using the same Radius and LDAP server I would like to grant different users access via different NAS clients.
eg in LDAP I would have:
uid=guy services: VPN services: WiFi
If I have the "services: VPN" then I would be allowed to connect to the VPN server and if I don't have that entry in my LDIF then it would not be allowed to access.
Any ideas on how to do this, simply?
..."Dear Lazyweb" eh? You should really *attempt* to try, or show you have attempted something,
Dear Teacher", just like back at school "Please show your working.." :) I did spend quite some time searching for the answer, however documentation "end-to-end" seems to be a little lacking.
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg59481.h... http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg62699.h...
Now use "%{client:keyword}" in your LDAP xlat search query...
Thanks for the the hints.. I've now got this to work... In modules/ldap I changed filter to: filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(authorizedService=%{client:service}))" Then in clients.conf.. just added a an entry to each client: client VPN_Server { secret = ssshhh! shortname = vpn nastype = other service = VPN } And finally for each user in the LDAP database I add the entry: authorsizedService: VPN That's it I can now control access to each client via VPN data.
To be honest though, your approach *abuses* LDAP, you should be adding them to a *group*, not bloating-up and overloading the user object; otherwise you might as well use something horrible like SQL...
I would argue that point most strongly but this is not the place.. Thanks again for the help --Guy
Cheers
-- Alexander Clouter .sigmonster says: A woman can never be too rich or too thin.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html