restricting access for users
Dustin Doris
freeradius at mail.doris.cc
Mon Jun 13 15:49:00 CEST 2005
Try this.
huntgroups
> diegem NAS-IP-Address == 10.5.x.x
> diegem NAS-IP-Address == 10.5.x.x
> diegem NAS-IP-Address == 10.5.x.x
> brussels NAS-IP-Address == 10.2.x.x
users file
#note: there is no default auth-type = system here
DEFAULT Group == NOC, Auth-Type := System
replyattrs = replyvalues
bob Huntgroup-Name == diegem, Auth-Type := System
replyattrs = replyvalues...
somebrusselluser Huntgroup-Name == brussells, Auth-Type := System
reply attrs
DEFAULT Auth-Type := Reject
That means:
If user is in group NOC, match here and authorize the user using system
If user bob is coming from huntgroup diegam, match here and authorize user
If user somebrusselluser is coming from huntgroup brussells, match
If no matches on above, reject the user
I suspect that your DEFAULT Auth-Type = system entry is at the top of your
users file. Then you have some matching rules. You have a user that
comes in but won't match any of your matching rules, so it will default to
the auth-type = system entry that it matched at first and simply authorize
the user with system.
What I have above, specifies to use system when it matches each user entry
or the group entry. If there is no match, then it tells you to reject the
user.
More information about the Freeradius-Users
mailing list