huntgroups question
Alan DeKok
aland at deployingradius.com
Mon Nov 20 17:51:59 CET 2006
Alexandru Dincov wrote:
> Hello,
> We plan to use freeradius for authenticating remote access to more than
> 2000 network devices (CISCO, Nortel, etc.) and we want to do some access
> control based on huntgroups. Users and RADIUS profiles are stored in an
> LDAP backend. Following freeradius documentation, we have to define all
> 2000+ IP addresses in huntgroups configuration file, apparently there is
> no way to use IP ranges for defining huntgroups. But this solution
> (having one huntgroups configuration file with more than 2000 entries
> for each freeradius server) would be very difficult to maintain. Anyone
> knows if there are any limitations in huntgroups size? Are there other
> solutions to have huntgroups functionality (access control based on
> NAS-IP-Address or Client-IP-Address) using IP address ranges?
> Thanks,
The huntgroups are a bit of a hack for backwards compatibility going
back almost a decade. For 2000 machines, I would suggest using
rlm_passwd. See the "man rlm_passwd" page for an example of setting up
groups based on User-Name. The same method can be used to set up groups
based on Client-IP-Address. You then have groups controlled by a flat
text file, which is pretty easy to manage.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
More information about the Freeradius-Users
mailing list