huntgroup issue, multiple huntgroups per device

Garber, Neal Neal.Garber at energyeast.com
Tue Nov 14 21:50:38 CET 2006


>Is it possible to have multiple huntgroups for the same NAS-IP-ADDRESS?
>I am running into this issue trying to configure a vpn appliance that
uses
>the same freeRADIUS server to authenticate its users as well as its
admins.

Yes, but something needs to distinguish the two (another attribute).
Are you saying that your appliance is using radius to authenticate VPN
users as well as to authenticate admins. that are using telnet/ssh/http
to administratively manage the appliance?  If so, check the request
attributes for each type of access.  Then, you can add the attribute
that lets you tell what access type the user is requesting.

For instance, I have an AP that uses FR to authenticate 802.11 users as
well as for local logons to the AP itself.  In my case, the
NAS-Port-Type allows me to discern the difference between the two types
of access.  For 802.11 user access, the AP sends NAS-Port-Type =
"Wireless-802.11" and for local logon, the AP sends NAS-Port-Type =
"Async" or "Virtual".  Figure out what's different in the request and
then you can have multiple NAS-IP-Address == 10.20.30.1 entries with
different values in the other attribute.  For example:

vpn        NAS-IP-Address == 10.20.30.1, NAS-Port-Type == "XXX"
                Group = VPNUSERS

vpn-admin  NAS-IP-Address == 10.20.30.1, NAS-Port-Type == "YYY"
                User-Name = admin1,
                User-Name = admin2





More information about the Freeradius-Users mailing list