Huntgroups, Users and Proxy
Walt Reynolds
waltr at umich.edu
Thu Dec 21 13:07:03 CET 2006
Just checking back to see if anyone can let me know if I am on the right
track. Thanks.
-------- Original Message --------
Subject: Re: Huntgroups, Users and Proxy
Date: Wed, 13 Dec 2006 15:17:44 -0500
From: Walt Reynolds <waltr at umich.edu>
To: freeradius-users at lists.freeradius.org
> Date: Wed, 13 Dec 2006 08:05:32 +0000
> From: B Thompson <bt4 at york.ac.uk>
> Subject: Re: Huntgroups, Users and Proxy
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <20061213080532.GA2261 at grande.york.ac.uk>
> Content-Type: text/plain; charset=us-ascii
>
> On Tue, Dec 12, 2006 at 04:23:43PM -0500, Walt Reynolds wrote:
>> I am going in circles here and not getting anywhere. I will try to
>> describe what I want to do starting with huntgroups.
>>
>> huntgroup:
>> All NAS-IP-Address == 10.213.226.1
>> All NAS-IP-Address == 10.213.226.2
>> All NAS-IP-Address == 10.213.226.3
>> All NAS-IP-Address == 192.168.224.5
>> All NAS-IP-Address == 192.168.224.36
>> All NAS-IP-Address == 172.213.226.46
>>
>> Bldg1 NAS-IP-Address == 10.213.226.1
>> Bldg1 NAS-IP-Address == 10.213.226.2
>> Bldg1 NAS-IP-Address == 10.213.226.3
>> Bldg1 NAS-IP-Address == 192.168.224.5
>> Bldg1 NAS-IP-Address == 192.168.224.36
>>
>> Bldg2 NAS-IP-Address == 172.213.226.46
>
> You can't have the same IP address in more than one huntgroup - See bug
> #233.
>
> http://bugs.freeradius.org/show_bug.cgi?id=233
>
> The solution is to use rlm_passwd instead.
Ok, Thanks for that info. Now lets say I put each NAS in one huntgroup
(I added the extra groups for possibilities.
So lets say I have the following:
UnitA NAS-IP-Address == 10.213.226.1
UnitA NAS-IP-Address == 10.213.226.2
UnitA NAS-IP-Address == 10.213.226.3
UnitB NAS-IP-Address == 192.168.224.5
UnitAB NAS-IP-Address == 172.213.226.46
TypeVPN NAS-IP-Address == 192.168.224.5
TypeGW NAS-IP-Address == 192.168.224.36
So this sets each NAS into a single group. The rest of my question I am
still confused about.
"UnitA" Authenticate with user at unita.generic.edu
or
Authenticate with Null Realm
or
Authenticate user at generic.edu
But NOT
user at unitb.generic.edu
"UnitB" Authenticate with user at unitb.generic.edu
or
Authenticate with Null Realm
or
Authenticate user at generic.edu
but NOT
user at unita.generic.edu
"UnitAB" Authenticate with user at unita.generic.edu
or
Authenticate with user at unitb.generic.edu
or
user at generic.edu
or
Null realm
"TypeVPN" Authenticate ONLY with Null Realm
"TypeGW" authenticate with Null realm or generic.edu
So would I add the following to the users file: (Not sure about UnitAB
and TypeVPN with Fall-Through = No. I think the rest is right though)
DEFAULT Huntgroup-Name == UnitAB, User-Name =~ *@unita.generic.edu",
Proxy-To-Realm := unita.generic.edu
Fall-Through = Yes
DEFAULT Huntgroup-Name == UnitAB, User-Name =~ *@unitb.generic.edu",
Proxy-To-Realm := unitb.generic.edu
Fall-Through = Yes
DEFAULT Huntgroup-Name == UnitA, Proxy-To-Realm := unita.generic.edu
Fall-Through = Yes
DEFAULT Huntgroup-Name == UnitB, Proxy-To-Realm := unitb.generic.edu
Fall-Through = Yes
DEFAULT Huntgroup-Name == TypeGW, Proxy-To-Realm := generic.edu
Fall-Through = Yes
DEFAULT Huntgroup-Name == TypeVPN, Proxy-To-Realm := NULL
Fall-Through = No
Then in the proxy.conf
proxy server {
synchronous = no
retry_delay = 5
retry_count = 3
dead_time = 120
default_fallback = yes
post_proxy_authorize = yes
}
realm unita.generic.edu {
type = radius
authhost = radius.unita.generic.edu:1812
accthost = radius.unita.generic.edu:1813
nostrip
}
realm unitb.generic.edu {
type = radius
authhost = radius.unita.generic.edu:1812
accthost = radius.unita.generic.edu:1813
nostrip
}
realm generic.edu {
type = radius
authhost = LOCAL
accthost = LOCAL
strip
}
realm NULL {
type = radius
authhost = LOCAL
accthost = LOCAL
}
realm DEFAULT {
type = radius
authhost = radius.highered.edu:1812
accthost = radius.highered.edu:1812
secret = XXXX
nostrip
}
Thanks. There are so many things our there that I got a little lost. I
guess that is a problem with so many options and ways to do things.
Sorry for the resend, but wanted the same subject for threading
>
--
Walter Reynolds
Principle Systems Security Development Engineer
Information Technology Central Services
University of Michigan
(734)615-9438
--
Walter Reynolds
Principle Systems Security Development Engineer
Information Technology Central Services
University of Michigan
(734)615-9438
More information about the Freeradius-Users
mailing list