Huntgroups, Users and Proxy

Walt Reynolds waltr at umich.edu
Thu Dec 21 13:07:03 CET 2006 

Just checking back to see if anyone can let me know if I am on the right 
track.  Thanks.

-------- Original Message --------
Subject: Re: Huntgroups, Users and Proxy
Date: Wed, 13 Dec 2006 15:17:44 -0500
From: Walt Reynolds <waltr at umich.edu>
To: freeradius-users at lists.freeradius.org


> Date: Wed, 13 Dec 2006 08:05:32 +0000
> From: B Thompson <bt4 at york.ac.uk>
> Subject: Re: Huntgroups, Users and Proxy
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Message-ID: <20061213080532.GA2261 at grande.york.ac.uk>
> Content-Type: text/plain; charset=us-ascii
> 
> On Tue, Dec 12, 2006 at 04:23:43PM -0500, Walt Reynolds wrote:
>> I am going in circles here and not getting anywhere.  I will try to 
>> describe what I want to do starting with huntgroups.
>>
>> huntgroup:
>> All             NAS-IP-Address == 10.213.226.1
>> All             NAS-IP-Address == 10.213.226.2
>> All             NAS-IP-Address == 10.213.226.3
>> All             NAS-IP-Address == 192.168.224.5
>> All             NAS-IP-Address == 192.168.224.36
>> All             NAS-IP-Address == 172.213.226.46
>>
>> Bldg1           NAS-IP-Address == 10.213.226.1
>> Bldg1           NAS-IP-Address == 10.213.226.2
>> Bldg1           NAS-IP-Address == 10.213.226.3
>> Bldg1		NAS-IP-Address == 192.168.224.5
>> Bldg1           NAS-IP-Address == 192.168.224.36
>>
>> Bldg2		NAS-IP-Address == 172.213.226.46
> 
> You can't have the same IP address in more than one huntgroup - See bug
> #233.
> 
>  http://bugs.freeradius.org/show_bug.cgi?id=233
> 
> The solution is to use rlm_passwd instead.

Ok, Thanks for that info.  Now lets say I put each NAS in one huntgroup
(I added the extra groups for possibilities.

So lets say I have the following:

UnitA        NAS-IP-Address == 10.213.226.1
UnitA        NAS-IP-Address == 10.213.226.2
UnitA        NAS-IP-Address == 10.213.226.3

UnitB        NAS-IP-Address == 192.168.224.5

UnitAB        NAS-IP-Address == 172.213.226.46

TypeVPN        NAS-IP-Address == 192.168.224.5

TypeGW        NAS-IP-Address == 192.168.224.36

So this sets each NAS into a single group.  The rest of my question I am
still confused about.
"UnitA" Authenticate with user at unita.generic.edu
     or
     Authenticate with Null Realm
     or
     Authenticate user at generic.edu
     But NOT
     user at unitb.generic.edu
"UnitB" Authenticate with user at unitb.generic.edu
     or
     Authenticate with Null Realm
     or
     Authenticate user at generic.edu
     but NOT
     user at unita.generic.edu
"UnitAB" Authenticate with user at unita.generic.edu
      or
      Authenticate with user at unitb.generic.edu
      or
     user at generic.edu
     or
     Null realm
"TypeVPN" Authenticate ONLY with Null Realm
"TypeGW" authenticate with Null realm or generic.edu

So would I add the following to the users file: (Not sure about UnitAB
and TypeVPN with Fall-Through = No.  I think the rest is right though)

DEFAULT Huntgroup-Name == UnitAB, User-Name =~ *@unita.generic.edu",
Proxy-To-Realm := unita.generic.edu
	Fall-Through = Yes
DEFAULT Huntgroup-Name == UnitAB, User-Name =~ *@unitb.generic.edu",
Proxy-To-Realm := unitb.generic.edu
	Fall-Through = Yes
DEFAULT Huntgroup-Name == UnitA, Proxy-To-Realm := unita.generic.edu
	Fall-Through = Yes
DEFAULT Huntgroup-Name == UnitB, Proxy-To-Realm := unitb.generic.edu
	Fall-Through = Yes
DEFAULT Huntgroup-Name == TypeGW, Proxy-To-Realm := generic.edu
	Fall-Through = Yes
DEFAULT Huntgroup-Name == TypeVPN, Proxy-To-Realm := NULL
	Fall-Through = No

Then in the proxy.conf

proxy server {
         synchronous = no
         retry_delay = 5
         retry_count = 3
         dead_time = 120
         default_fallback = yes
         post_proxy_authorize = yes
}

realm unita.generic.edu {
         type        	= radius
         authhost        = radius.unita.generic.edu:1812
         accthost        = radius.unita.generic.edu:1813
         nostrip
}
realm unitb.generic.edu {
         type        	= radius
         authhost        = radius.unita.generic.edu:1812
         accthost        = radius.unita.generic.edu:1813
         nostrip
}

realm generic.edu {
         type        	= radius
         authhost        = LOCAL
         accthost        = LOCAL
         strip
}
realm NULL {
        type            = radius
        authhost        = LOCAL
        accthost        = LOCAL
}


realm DEFAULT {
        	type            = radius
     	authhost        = radius.highered.edu:1812
     	accthost        = radius.highered.edu:1812
	secret          = XXXX
	nostrip
}


Thanks.  There are so many things our there that I got a little lost.  I
guess that is a problem with so many options and ways to do things.

Sorry for the resend, but wanted the same subject for threading
> 

-- 
    Walter Reynolds
    Principle Systems Security Development Engineer
    Information Technology Central Services
    University of Michigan
    (734)615-9438



-- 
    Walter Reynolds
    Principle Systems Security Development Engineer
    Information Technology Central Services
    University of Michigan
    (734)615-9438

More information about the Freeradius-Users mailing list