Just checking back to see if anyone can let me know if I am on the right track. Thanks. -------- Original Message -------- Subject: Re: Huntgroups, Users and Proxy Date: Wed, 13 Dec 2006 15:17:44 -0500 From: Walt Reynolds <waltr@umich.edu> To: freeradius-users@lists.freeradius.org
Date: Wed, 13 Dec 2006 08:05:32 +0000 From: B Thompson <bt4@york.ac.uk> Subject: Re: Huntgroups, Users and Proxy To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <20061213080532.GA2261@grande.york.ac.uk> Content-Type: text/plain; charset=us-ascii
On Tue, Dec 12, 2006 at 04:23:43PM -0500, Walt Reynolds wrote:
I am going in circles here and not getting anywhere. I will try to describe what I want to do starting with huntgroups.
huntgroup: All NAS-IP-Address == 10.213.226.1 All NAS-IP-Address == 10.213.226.2 All NAS-IP-Address == 10.213.226.3 All NAS-IP-Address == 192.168.224.5 All NAS-IP-Address == 192.168.224.36 All NAS-IP-Address == 172.213.226.46
Bldg1 NAS-IP-Address == 10.213.226.1 Bldg1 NAS-IP-Address == 10.213.226.2 Bldg1 NAS-IP-Address == 10.213.226.3 Bldg1 NAS-IP-Address == 192.168.224.5 Bldg1 NAS-IP-Address == 192.168.224.36
Bldg2 NAS-IP-Address == 172.213.226.46
You can't have the same IP address in more than one huntgroup - See bug #233.
http://bugs.freeradius.org/show_bug.cgi?id=233
The solution is to use rlm_passwd instead.
Ok, Thanks for that info. Now lets say I put each NAS in one huntgroup (I added the extra groups for possibilities. So lets say I have the following: UnitA NAS-IP-Address == 10.213.226.1 UnitA NAS-IP-Address == 10.213.226.2 UnitA NAS-IP-Address == 10.213.226.3 UnitB NAS-IP-Address == 192.168.224.5 UnitAB NAS-IP-Address == 172.213.226.46 TypeVPN NAS-IP-Address == 192.168.224.5 TypeGW NAS-IP-Address == 192.168.224.36 So this sets each NAS into a single group. The rest of my question I am still confused about. "UnitA" Authenticate with user@unita.generic.edu or Authenticate with Null Realm or Authenticate user@generic.edu But NOT user@unitb.generic.edu "UnitB" Authenticate with user@unitb.generic.edu or Authenticate with Null Realm or Authenticate user@generic.edu but NOT user@unita.generic.edu "UnitAB" Authenticate with user@unita.generic.edu or Authenticate with user@unitb.generic.edu or user@generic.edu or Null realm "TypeVPN" Authenticate ONLY with Null Realm "TypeGW" authenticate with Null realm or generic.edu So would I add the following to the users file: (Not sure about UnitAB and TypeVPN with Fall-Through = No. I think the rest is right though) DEFAULT Huntgroup-Name == UnitAB, User-Name =~ *@unita.generic.edu", Proxy-To-Realm := unita.generic.edu Fall-Through = Yes DEFAULT Huntgroup-Name == UnitAB, User-Name =~ *@unitb.generic.edu", Proxy-To-Realm := unitb.generic.edu Fall-Through = Yes DEFAULT Huntgroup-Name == UnitA, Proxy-To-Realm := unita.generic.edu Fall-Through = Yes DEFAULT Huntgroup-Name == UnitB, Proxy-To-Realm := unitb.generic.edu Fall-Through = Yes DEFAULT Huntgroup-Name == TypeGW, Proxy-To-Realm := generic.edu Fall-Through = Yes DEFAULT Huntgroup-Name == TypeVPN, Proxy-To-Realm := NULL Fall-Through = No Then in the proxy.conf proxy server { synchronous = no retry_delay = 5 retry_count = 3 dead_time = 120 default_fallback = yes post_proxy_authorize = yes } realm unita.generic.edu { type = radius authhost = radius.unita.generic.edu:1812 accthost = radius.unita.generic.edu:1813 nostrip } realm unitb.generic.edu { type = radius authhost = radius.unita.generic.edu:1812 accthost = radius.unita.generic.edu:1813 nostrip } realm generic.edu { type = radius authhost = LOCAL accthost = LOCAL strip } realm NULL { type = radius authhost = LOCAL accthost = LOCAL } realm DEFAULT { type = radius authhost = radius.highered.edu:1812 accthost = radius.highered.edu:1812 secret = XXXX nostrip } Thanks. There are so many things our there that I got a little lost. I guess that is a problem with so many options and ways to do things. Sorry for the resend, but wanted the same subject for threading
-- Walter Reynolds Principle Systems Security Development Engineer Information Technology Central Services University of Michigan (734)615-9438 -- Walter Reynolds Principle Systems Security Development Engineer Information Technology Central Services University of Michigan (734)615-9438
participants (1)
-
Walt Reynolds