Help mixing proxied and non-proxied auth mechanisms

Alan DeKok aland at ox.org
Tue Mar 14 18:46:39 CET 2006


Geoff Silver <geoff+freeradius at uslinux.net> wrote:
> So, right now, for every huntgroup/connect-info pair, I have *two* entries in
> the users file.  One is for Port-1812, the other for Port-1645.  So the
> question of the hour is: Is there something nifty I can do to eliminate the
> need for *two* nearly-identical entries for each user?

  Yes.  Another layer of indirection should do it.  From what you've
said, it looks like the "users" file entries are all the same, except
for the username.  That should help you narrow down potential
solutions.

  You appear to have two independent requirements:

  1) port 1645 versus 1812 checks
  2) allowing only known users

  The first can be solved by what you have.  The second can be solved
by putting all of the known users into a group (see rlm_passwd).
Then, in the "users" file, do:

DEFAULT My-Group != "known", Auth-Type := Reject

DEFAULT  Auth-Type:=Accept, Huntgroup-Name=="Office", Hint==Port-1812
        Connect-Info="OFFICE_NET"
DEFAULT  Huntgroup-Name=="Office", Hint==Port-1645, Proxy-To-Realm := PROXY_GW
	Connect-Info="OFFICE_NET"


  Alan DeKok.



More information about the Freeradius-Users mailing list