huntgroup issue, multiple huntgroups per device
Charles Tompkins
crt at thig.com
Tue Nov 14 20:35:53 CET 2006
Is it possible to have multiple huntgroups for the same NAS-IP-ADDRESS?
I am running into this issue trying to configure a vpn appliance that uses
the same freeRADIUS server to authenticate its users as well as its admins.
The huntgroups file gets checked from top to bottom, so depending which
specified group comes first, the other gets denied access.
i.e.
"../raddb/huntgroups"
vpn NAS-IP-Address == 10.20.30.1
Group = VPNUSERS
vpn-admin NAS-IP-Address == 10.20.30.1
User-Name = admin1,
User-Name = admin2
This config keeps the admins out of the vty but lets the users vpn in.
Debug reveals:
No huntgroup access: [admin1] (from client vpn.foo.com port 6256 cli
10.10.10.10)
modcall[authorize]: module "preprocess" returns reject for request 1
modcall: leaving group authorize (returns reject) for request 1
FYI, my users file checks for admins first then falls through to framed
users...
I would like to avoid adding another ip address to the vpn appliance if at
all possible.
Regards from sunny Florida,
-Charles Tompkins
------------
Master timed out! Holding election...
I am declaring myself the master!
CONFIDENTIAL NOTICE: This email including any attachments, contains
confidential information belonging to the sender. It may also be
privileged or otherwise protected by work product immunity or other
legal rules. This information is intended only for the use of the
individual or entity named above. If you are not the intended
recipient, you are hereby notified that any disclosure, copying,
distribution or the taking of any action in reliance on the contents
of this emailed information is strictly prohibited. If you have
received this email in error, please immediately notify us by
reply email of the error and then delete this email immediately.
More information about the Freeradius-Users
mailing list