Re: Example listed in huntgroup file does not work
I am looking at that option, but I should not have to. Per the huntgroups file: "# This file can also be used to define restricted access # to certain huntgroups. The second and following lines # define the access restrictions (based on username and # UNIX usergroup) for the huntgroup. #" So I can create a huntgroup with multiple Nas, but the 'second and following lines' are only recognized by the last entry in the huntgroup. So If I go with groups, I should be able to add the following: (can someone tell me if this is the write syntax, or do I still have to add something to the dictionary.... have to leave right now to catch a flight. Thanks) File radiusd.conf passwd etc_group { filename = /usr/local/ett/raddb/grouplist format = "=Group-Name:*,User-Name" hashsize = 50 ignorenislike = yes allowmultiplekeys = yes delimiter = ":" } ================= File /usr/local/etc/raddb/grouplist: datacenter:user1,user2,usera ================== File huntgroups: Limit1 NAS-IP-Address == 192.168.2.5 Limit1 NAS-IP-Address == 192.168.2.6 Group-Name == datacenter --- Walt Reynolds Principal Systems Security Development Engineer Information Technology Central Services University of Michigan (734) 615-9438
Message: 8 Date: Thu, 13 Dec 2007 12:55:51 +0000 From: A.L.M.Buxey@lboro.ac.uk Subject: Re: Example listed in huntgroup file does not work To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <20071213125551.GA29697@lboro.ac.uk> Content-Type: text/plain; charset=us-ascii
Hi,
I should say that I do not want to use an external solution. Creating a huntgroup for each NAS with the exact same user list does work, but then if I have to change a user I would then have to modify what could be over 100 groups.
i think, therein, lies your problem - you havent looked at the whole logical design - and are fixated on the singular huntgroups file.
if you want to control users, in groups, with huntgroups etc then you should be using the huntgroup file to define NAS in groups, and then another config file eg users to tie users to those huntgroups.
alan
------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 32, Issue 37 ************************************************
Hi,
"# This file can also be used to define restricted access # to certain huntgroups. The second and following lines # define the access restrictions (based on username and # UNIX usergroup) for the huntgroup. #"
so why not do as i suggest and define usergroups - then add the user to such groups? if you want this to scale then i'd have to say that SQL is the way to go.
So I can create a huntgroup with multiple Nas, but the 'second and following lines' are only recognized by the last entry in the huntgroup.
no, they become sub-group huntgroup entries - you need to enter the same 'following lines' on all members of the huntgroup alan
Dana 13/12/2007, "Reynolds, Walter" <waltr@umich.edu> piše:
I am looking at that option, but I should not have to. Per the huntgroups file:
"# This file can also be used to define restricted access # to certain huntgroups. The second and following lines # define the access restrictions (based on username and # UNIX usergroup) for the huntgroup. #"
So I can create a huntgroup with multiple Nas, but the 'second and following lines' are only recognized by the last entry in the huntgroup. So If I go with groups, I should be able to add the following: (can someone tell me if this is the write syntax, or do I still have to add something to the dictionary.... have to leave right now to catch a flight. Thanks)
File radiusd.conf
passwd etc_group { filename = /usr/local/ett/raddb/grouplist format = "=Group-Name:*,User-Name" hashsize = 50 ignorenislike = yes allowmultiplekeys = yes delimiter = ":" }
Yes, you can create groups through files with rlm_passwd module.
File huntgroups:
Limit1 NAS-IP-Address == 192.168.2.5 Limit1 NAS-IP-Address == 192.168.2.6 Group-Name == datacenter ---
That's not going to work for the same reason as the list of usernames. It is listed only for the last entry. You don't seem to comprehend that it's totally irrelevant do the entries have same or different names *inside* the huntgroups file. Grouping (giving entries the same name) only has such effect *outside* the huntgroups file when you use Huntgroup-Name attribute. To save you some bother - don't group datacenter users. You don't want to tie users to certain devices, you want to prevent some others to gain access to those devices. Entry like this in users file will do that: DEFAULT Group-Name == nopasaran, Huntgroup-Name == Limit1, Auth-Type := Reject Ivan Kalik Kalik Informatika ISP
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Reynolds, Walter -
tnt@kalik.co.yu