How to restrict users /PAM to specific NAS devices??

Ellis, Scott 1 (N-Comptel Inc.) scott.1.ellis at lmco.com
Wed Jan 3 00:21:20 CET 2007


Well here is where I am. 

I am using PAM.

All I need to pull all the pieces together is one simple example of what
has to be done to do the following: user1 and user2 can access devices
10.1.1.1, 10.1.1.2, and user3 can access only 10.1.1.3.
*************

Here is where I am. To turn on rlm_passwd, I think, you have to goto
radiusd.conf and create a passwd entry say passwd My_group {
       filename = ${raddbdir}/My.group
       format "=Group-Name:*,User-Name"
       authtype = PAM (I hope I can auth via PAM since that is how my
security is tailored)
       delimiter = ":"

Next, you have to add it to the dictionary ... My_group?

Then, I was thinking I could use the huntgroups and add a entry called
admin and ops. The huntgroup would include multiple entries

huntgroups

admin      NAS-IP-Address = 10.1.1.1
admin      NAS-IP-Address = 10.1.1.2
           User-Name = user1,
           User-Name = user2
ops        NAS-IP-Address = 10.1.1.3
           User-Name = user3

Next, in the My.group file I would put "admin:user1,user2" and on the
next line "ops:user3"

Finally, if I am at least close, I am not entirely clear how to setup
the USERS file for
user1 and user2 and user3.

Can I use the following:
user1     My_group == "admin" ??? (this would add admin to my custom
group for user1??)

Then, how do I map user1 with My_group "admin" to the admin huntgroup?
Or do I just insert a DEFAULT entry at the bottom and include
huntgroup-name == admin ???

Scott

-----Original Message-----
From:
freeradius-users-bounces+scott.1.ellis=lmco.com at lists.freeradius.org
[mailto:freeradius-users-bounces+scott.1.ellis=lmco.com at lists.freeradius
.org] On Behalf Of Alan DeKok
Sent: Tuesday, January 02, 2007 4:12 PM
To: FreeRadius users mailing list
Subject: Re: How to restrict users /PAM to specific NAS devices??

Ellis, Scott 1 (N-Comptel Inc.) wrote:
> I have looked it over, but I am still not clear.

  What *exactly* about the documentation is not clear?  You can use
rlm_passwd to make a group of anything you want.

> I was thinking that I
> could use huntgroups to map devices to specific groups, but then I am 
> not clear on how to restrict users ('users' file) to those groups.

  The FAQ has an example of limiting users to groups.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list