huntgroups question [unclas]

Ranner, Frank MR Frank.Ranner at
Tue Nov 21 03:01:24 CET 2006

You could put your ip hosts into ldap, and use an entry in the hints 
file to look up ldap and set either the huntgroup name or the Hint 

        Hint =

# check for presence in Ldap-Group matching Hint or Huntgroup with
possible sufixes
DEFAULT Hint == "", Huntgroup-Name !* Any,Auth-Type := Reject
        Reply-Message := "Unknown device, not present in any group."

DEFAULT LDAP-Group == "%{Hint:-%{Huntgroup-Name}}_munge"
        Reply-Message := "%u found in %{Hint}- We have a combined
        Fall-Through = no

DEFAULT Hint != "", LDAP-Group == "%{Hint}_qwerty"
        Reply-Message := "%u found in %{Hint}- We have a hinted
        Fall-Through = no

DEFAULT Huntgroup-Name =* Any, LDAP-Group == "%{Huntgroup-Name}_qwerty"
        Reply-Message := "%u found in %{Huntgroup-Name}- We have a
hunted winner!",
        Fall-Through = no

# If you don't match any of the systems, deny access
DEFAULT Auth-Type := Reject
        Reply-Message := "You are not in %{Hint:-%{Huntgroup-Name}}"

It is better to set Hint because it will be set to "" if the ldap query
returns no entry. If you 
set Huntgroup-Name the the huntfile will not be processed. Using Hint
means you can also search 
for huntgroup the old fashioned way.

Here is a device entry:

dn: cn=ps43a,ou=hosts,dc=...
objectClass: top
objectClass: device
objectClass: ipHost
objectClass: radiusprofile
cn: ps43a
radiusHuntgroupName: dsl

All you need is 2000 more like that one!

Frank Ranner

> -----Original Message-----
> From: 
> at lists.fre
> [ at l
>] On Behalf Of Michael Mitchell
> Sent: Tuesday, 21 November 2006 08:49
> To: FreeRadius developers mailing list; 
> freeradius-users at
> Subject: Re: huntgroups question
> Alexandru Dincov wrote:
> > knows if there are any limitations in huntgroups size? Are 
> there other 
> > solutions to have huntgroups functionality (access control based on 
> > NAS-IP-Address or Client-IP-Address) using IP address ranges?
> Hi Alex,
> You can do regular expression matches in the huntgroups file. 
> For example:
> dial	Client-IP-Address =~ 192.168.1..*
> dsl	Client-IP-Address =~ 192.168.2..*
> Maybe that can get you close to what you want?
> Oh and by the way, these types of questions should be asked 
> on the FreeRADIUS Users list.
> cheers,
> Mike
> -
> List info/subscribe/unsubscribe? See 

More information about the Freeradius-Users mailing list