Alan DeKok wrote:
You appear to have two independent requirements:
1) port 1645 versus 1812 checks 2) allowing only known users
The first can be solved by what you have. The second can be solved by putting all of the known users into a group (see rlm_passwd). Then, in the "users" file, do:
DEFAULT My-Group != "known", Auth-Type := Reject
DEFAULT Auth-Type:=Accept, Huntgroup-Name=="Office", Hint==Port-1812 Connect-Info="OFFICE_NET" DEFAULT Huntgroup-Name=="Office", Hint==Port-1645, Proxy-To-Realm := PROXY_GW Connect-Info="OFFICE_NET"
That will work for the simple case I provided, but my users file is actually a bit more complicated. There are multiple NAS-IP-Address and/or Huntgroups available, and not all users have access to all of them. The only thing guaranteed is that any user who *has* an entry actually has two, one with a Hint==Port-1645 and the other with Hint--Port-1812. Perhaps a better users file example would be: user01 Auth-Type:=Accept, NAS-IP-Address==10.1.2.3, Hint==Port-1812 user01 Auth-Type:=Accept, NAS-IP-Address==10.1.2.4, Hint==Port-1812 user01 NAS-IP-Address==10.1.2.3, Hint==Port-1645, Proxy-To-Realm:=PROXY_GW user02 Auth-Type:=Accept, NAS-IP-Address==10.1.2.3, Hint==Port-1812 user03 NAS-IP-Address==10.1.2.4, Hint==Port-1645, Proxy-To-Realm:=PROXY_GW Additionally, none of these folks have (or can have) /etc/passwd accounts on this system, so I'm not sure that rlm_passwd will work for me necessarily (plus, we're back to the "not every user has access to every NAS/Huntgroup" problem).