One user - Different Service Type depending on NAS
Hi, I have about 6 people working with Network Administration. 3 of the users should have full access (read/write) to the network (94 Extreme Switches). This is straight forward. The other 3 should have read/write to about 80 switches and read only to the last 14. I understand that I can group devices in huntgroups and users in groups and then control the access. The problem I have is that I don't know how to give a certain user a specific "Service-Type" depending on the NAS he/she tries to connect to. I want the Service Type do differ for certain users depending on the NAS. Admin should always have read/write access to all switches and the others should have "read" on some switches and "read/write" on some. The Service type for Extreme Switches are as follows: Service-Type = Login-User (Read Only) Service-Type = Administrative-User (Read/Write) Best Regards Mats Blomgren
username NAS-IP-Address (or Packet-Src-IP-Address) == whatever Service-Type = whichever Create huntgroups and use Huntgroup-Name for groups of devices. Ivan Kalik Kalik Informatika ISP Dana 13/10/2008, "Mats Blomgren B" <mats.b.blomgren@ericsson.com> piše:
Hi,
I have about 6 people working with Network Administration.
3 of the users should have full access (read/write) to the network (94 Extreme Switches). This is straight forward. The other 3 should have read/write to about 80 switches and read only to the last 14.
I understand that I can group devices in huntgroups and users in groups and then control the access.
The problem I have is that I don't know how to give a certain user a specific "Service-Type" depending on the NAS he/she tries to connect to. I want the Service Type do differ for certain users depending on the NAS. Admin should always have read/write access to all switches and the others should have "read" on some switches and "read/write" on some.
The Service type for Extreme Switches are as follows: Service-Type = Login-User (Read Only) Service-Type = Administrative-User (Read/Write)
Best Regards
Mats Blomgren
Mats Blomgren B wrote:
3 of the users should have full access (read/write) to the network (94 Extreme Switches). This is straight forward. The other 3 should have read/write to about 80 switches and read only to the last 14.
Put the users into groups. Put the NASes into groups. Apply policies based on group membership.
I understand that I can group devices in huntgroups and users in groups and then control the access.
Yes. However, huntgroups may not be the best way to handle this.
The problem I have is that I don't know how to give a certain user a specific "Service-Type" depending on the NAS he/she tries to connect to. I want the Service Type do differ for certain users depending on the NAS.
Don't. Do *group* checking. if ((Packet-Src-IP-Address == 1.2.3.4) || ... # 80 times update request { NAS-Group = "one" # define this in "dictionary" } } elsif ((Packet-Src-IP-Address == 2.3.4.5) || ... # 14 times update request { NAS-Group = "two" } } Put the users into similar groups. Put them into groups called "admin", "some", or "readonly". if (User-Group == "admin") { update reply { Service-Type = Administrative-User } } elsif ((User-Group == "some") && (NAS-Group == "one")) { update reply { Service-Type = Administrative-User } } else { update reply { Service-Type = Login-User } } Alan DeKok.
participants (3)
-
Alan DeKok -
Mats Blomgren B -
tnt@kalik.net