Help mixing proxied and non-proxied auth mechanisms
Geoff Silver
geoff+freeradius at uslinux.net
Tue Mar 14 19:04:01 CET 2006
Alan DeKok wrote:
> You appear to have two independent requirements:
>
> 1) port 1645 versus 1812 checks
> 2) allowing only known users
>
> The first can be solved by what you have. The second can be solved
> by putting all of the known users into a group (see rlm_passwd).
> Then, in the "users" file, do:
>
> DEFAULT My-Group != "known", Auth-Type := Reject
>
> DEFAULT Auth-Type:=Accept, Huntgroup-Name=="Office", Hint==Port-1812
> Connect-Info="OFFICE_NET"
> DEFAULT Huntgroup-Name=="Office", Hint==Port-1645, Proxy-To-Realm := PROXY_GW
> Connect-Info="OFFICE_NET"
That will work for the simple case I provided, but my users file is actually a
bit more complicated. There are multiple NAS-IP-Address and/or Huntgroups
available, and not all users have access to all of them. The only thing
guaranteed is that any user who *has* an entry actually has two, one with a
Hint==Port-1645 and the other with Hint--Port-1812.
Perhaps a better users file example would be:
user01 Auth-Type:=Accept, NAS-IP-Address==10.1.2.3, Hint==Port-1812
user01 Auth-Type:=Accept, NAS-IP-Address==10.1.2.4, Hint==Port-1812
user01 NAS-IP-Address==10.1.2.3, Hint==Port-1645, Proxy-To-Realm:=PROXY_GW
user02 Auth-Type:=Accept, NAS-IP-Address==10.1.2.3, Hint==Port-1812
user03 NAS-IP-Address==10.1.2.4, Hint==Port-1645, Proxy-To-Realm:=PROXY_GW
Additionally, none of these folks have (or can have) /etc/passwd accounts on
this system, so I'm not sure that rlm_passwd will work for me necessarily
(plus, we're back to the "not every user has access to every NAS/Huntgroup"
problem).
More information about the Freeradius-Users
mailing list