At 11:21 AM 11/30/2009, freeradius@corwyn.net wrote:
Add to top of ./raddb/users:
DEFAULT Ldap-Group == "UserGroup",Service-Type = NAS-Prompt-User,cisco-avpair = "shell:priv-lvl=15" DEFAULT Auth-Type = ntlm_auth
Hmm, it looks like DEFAULT Ldap-Group == "UserGroup",Service-Type = NAS-Prompt-User,cisco-avpair = "shell:priv-lvl=15" is not the same as DEFAULT Ldap-Group == "UserGroup" Service-Type = NAS-Prompt-User,cisco-avpair = "shell:priv-lvl=15" After some tinkering: DEFAULT Auth-Type:=Accept,Ldap-Group == "Infrastructure" Service-Type=NAS-Prompt-User,cisco-avpair="shell:priv-lvl=15" appears to work with the rest of the config, and users in the Infrastructure group can log in, and other users cannot! However, this means that if you're in ./users you authorize (regardless of where I think you're going). Is there a way to associate the users data only with a particular virtual server config? Rick