huntgroup issue, multiple huntgroups per device

Charles Tompkins crt at thig.com
Tue Nov 14 20:35:53 CET 2006


Is it possible to have multiple huntgroups for the same NAS-IP-ADDRESS?

I am running into this issue trying to configure a vpn appliance that uses
the same freeRADIUS server to authenticate its users as well as its admins.

The huntgroups file gets checked from top to bottom, so depending which
specified group comes first, the other gets denied access.

i.e.
"../raddb/huntgroups"

vpn        NAS-IP-Address == 10.20.30.1
                Group = VPNUSERS

vpn-admin  NAS-IP-Address == 10.20.30.1
                User-Name = admin1,
                User-Name = admin2

This config keeps the admins out of the vty but lets the users vpn in.

Debug reveals:
No huntgroup access: [admin1] (from client vpn.foo.com port 6256 cli
10.10.10.10)
  modcall[authorize]: module "preprocess" returns reject for request 1
modcall: leaving group authorize (returns reject) for request 1

FYI, my users file checks for admins first then falls through to framed
users...

I would like to avoid adding another ip address to the vpn appliance if at
all possible.

Regards from sunny Florida,
-Charles Tompkins
               

------------
Master timed out!  Holding election...
I am declaring myself the master! 





CONFIDENTIAL NOTICE: This email including any attachments, contains 
confidential information belonging to the sender. It may also be 
privileged or otherwise protected by work product immunity or other 
legal rules. This information is intended only for the use of the 
individual or entity named above.  If you are not the intended 
recipient, you are hereby notified that any disclosure, copying, 
distribution or the taking of any action in reliance on the contents 
of this emailed information is strictly prohibited.  If you have 
received this email in error, please immediately notify us by 
reply email of the error and then delete this email immediately.



More information about the Freeradius-Users mailing list