huntgroups question

Alan DeKok aland at deployingradius.com
Mon Nov 20 17:51:59 CET 2006


Alexandru Dincov wrote:
> Hello,
> We plan to use freeradius for authenticating remote access to more than
> 2000 network devices (CISCO, Nortel, etc.) and we want to do some access
> control based on huntgroups. Users and RADIUS profiles are stored in an
> LDAP backend. Following freeradius documentation, we have to define all
> 2000+ IP addresses in huntgroups configuration file, apparently there is
> no way to use IP ranges for defining huntgroups. But this solution
> (having one huntgroups configuration file with more than 2000 entries
> for each freeradius server) would be very difficult to maintain. Anyone
> knows if there are any limitations in huntgroups size? Are there other
> solutions to have huntgroups functionality (access control based on
> NAS-IP-Address or Client-IP-Address) using IP address ranges?
> Thanks,

  The huntgroups are a bit of a hack for backwards compatibility going
back almost a decade.  For 2000 machines, I would suggest using
rlm_passwd.  See the "man rlm_passwd" page for an example of setting up
groups based on User-Name.  The same method can be used to set up groups
based on Client-IP-Address.  You then have groups controlled by a flat
text file, which is pretty easy to manage.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog



More information about the Freeradius-Users mailing list