on the right track?
mbjohn at duke.edu
mbjohn at duke.edu
Tue May 2 19:29:59 CEST 2006
David,
My apologies for not getting back to you sooner. Thank you so much for
your reply. I believe it will be very helpful. However....
I assume in the set up you give below, since you have authentication set
to "system", you're able to specify who is in which group that way. We're
using Kerberos for our authentication here. We'll have a few people who
will go in the extended group, whereas everyone else will go in the 15-min
pool. Is there a way to specify what usernames go in the extended pool
and let everyone default to the normal?
I tried to do this with huntgroups, specifying specific users for the
extended group, and the putting "User-Name == `%{User-Name}`" for everyone
else....though cool in concept, that didn't work :(. We're hoping to have
this in place by graduation....any help is greatly appreciated :)
On Thu, 23 Feb 2006, Galloway, David Mr KRS wrote:
> I just worked this out yesterday.
>
> Best way for me (I found) was to create two groups (one is pubnet-dialup the
> other is pubnet-extend)
>
> I set this in the /etc/raddb/users file
>
>
> # Authentication for pubnet-dialup group
> DEFAULT Auth-Type = System, Group == "pubnet-dialup"
> Fall-Through = 1
>
>
> # authentication for pubnet-extend group
> DEFAULT Auth-Type = System, Group == "pubnet-extend"
> Fall-Through = 1
>
>
>
> # Defaults for all framed connections.
> #
> # sets timeout for group "pubnet-dialup"
> DEFAULT Service-Type == Framed-User, Group == "pubnet-dialup"
> Framed-IP-Address = 255.255.255.254,
> Framed-MTU = 576,
> Service-Type = Framed-User,
> Session-Timeout = 14400,
> Idle-Timeout = 1800,
> Fall-Through = Yes
>
> # Sets timeout for group "pubnet-extend"
> DEFAULT Service-Type == Framed-User, Group == "pubnet-extend"
> Framed-IP-Address = 255.255.255.254,
> Framed-MTU = 576,
> Service-Type = Framed-User,
> Session-Timeout = 28800,
> Idle-Timeout = 1800,
> Fall-Through = Yes
>
>
>
>
>
> I authenticate against two groups. Then set the timeouts per each group
> (first is for 4 hours, second 8).
>
>
> Hope that helps.
>
>
> Regards,
>
>
> David Galloway
> Public Networks Administration
> KRS IT Network Operations
> Help Desk (805) 355-2444
> Direct (805) 355-4512
>
> -----Original Message-----
> From:
> freeradius-users-bounces+david.l.galloway=us.army.mil at lists.freeradius.org
> [mailto:freeradius-users-bounces+david.l.galloway=us.army.mil at lists.freeradi
> us.org] On Behalf Of mbjohn at duke.edu
> Sent: Thursday, February 23, 2006 3:43 AM
> To: freeradius-users at lists.freeradius.org
> Subject: on the right track?
>
> Hello all!
>
> I've tried to search the web and the archives for an answer to this question
> and didn't come up with anything, so I hope I'm not duplicating a question
> that's already been answered.
>
> Currently, where I work, we run two modem pools. One pool is limited to
> certain users who are allowed to connect up to 8 hrs at a time. The other
> pool is for general users who are given 15 min to quickly check email or
> search for something on the web (fwiw, they're allowed to reconnect after
> their time is up....).
>
> As broadband has become more available, less and less users are using the
> modem pool. We still have a handful of people from both groups who are
> still using it. So, in the interest to provide the service for the people
> still using it while not paying for unused lines, we're trying to
> consolidate things.
>
> We have a Cisco AS5300 terminal server that already uses freeradius w/
> kerberos to authenticate users. We would like to take that a step further
> and use freeradius to limit usage time based on the user name (certain users
> are allowed 8hrs while all others are given 15min).
>
> Looking over the config files in /etc/raddb, it appears the attrs file is
> just what I need to use. Would I be able to use a combination of huntgroups
> and the attrs file to accomplish what I need? I know in the documentation
> for the "fisp" entry, it talks about not having a Fall-Through entry. Does
> that mean it CANNOT have a Fall-Through entry, or that the given example
> does not? Am I on the right track with this, or should I look elsewhere?
>
> Thanks for your help!
>
> Brian
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list