Help mixing proxied and non-proxied auth mechanisms
Alan DeKok
aland at ox.org
Tue Mar 14 18:46:39 CET 2006
Geoff Silver <geoff+freeradius at uslinux.net> wrote:
> So, right now, for every huntgroup/connect-info pair, I have *two* entries in
> the users file. One is for Port-1812, the other for Port-1645. So the
> question of the hour is: Is there something nifty I can do to eliminate the
> need for *two* nearly-identical entries for each user?
Yes. Another layer of indirection should do it. From what you've
said, it looks like the "users" file entries are all the same, except
for the username. That should help you narrow down potential
solutions.
You appear to have two independent requirements:
1) port 1645 versus 1812 checks
2) allowing only known users
The first can be solved by what you have. The second can be solved
by putting all of the known users into a group (see rlm_passwd).
Then, in the "users" file, do:
DEFAULT My-Group != "known", Auth-Type := Reject
DEFAULT Auth-Type:=Accept, Huntgroup-Name=="Office", Hint==Port-1812
Connect-Info="OFFICE_NET"
DEFAULT Huntgroup-Name=="Office", Hint==Port-1645, Proxy-To-Realm := PROXY_GW
Connect-Info="OFFICE_NET"
Alan DeKok.
More information about the Freeradius-Users
mailing list