How to restrict users /PAM to specific NAS devices??

Alan DeKok aland at
Wed Jan 3 15:58:17 CET 2007

Ellis, Scott 1 (N-Comptel Inc.) wrote:
> Well here is where I am. 
> I am using PAM.

  Yes, you've said that lots.  And it has nothing to do with user names,
grouping, or RADIUS client devices.  It's completely irrelevant to the
problem at habd.

> All I need to pull all the pieces together is one simple example of what
> has to be done to do the following: user1 and user2 can access devices
>,, and user3 can access only
> *************
> Here is where I am. To turn on rlm_passwd, I think, you have to goto
> radiusd.conf and create a passwd entry say passwd My_group {
>        filename = ${raddbdir}/
>        format "=Group-Name:*,User-Name"

  No, the Group and Group-Name attributes are for Unix groups.  The
documentation for rlm_passwd says specifically that you need to create a
different attribute.

>        authtype = PAM (I hope I can auth via PAM since that is how my
> security is tailored)

  You don't need that line.  Delete it.

> Next, you have to add it to the dictionary ... My_group?


> Then, I was thinking I could use the huntgroups and add a entry called
> admin and ops. The huntgroup would include multiple entries

  If you're going to use huntgroups, then you don't need to use
rlm_passwd, but you do need extra entries in the "users" file... as
documented in the "huntgroups" file itself.

> huntgroups
> admin      NAS-IP-Address =
> admin      NAS-IP-Address =
>            User-Name = user1,
>            User-Name = user2
> ops        NAS-IP-Address =
>            User-Name = user3

  You should use the same huntgroup name for them all.

> Finally, if I am at least close, I am not entirely clear how to setup
> the USERS file for
> user1 and user2 and user3.

  You don't.  As per the documentation in the "huntgroups" file, you can
match a huntgroup by doing:

DEFAULT Huntgroup-Name == "admin"

  If you read the FAQ, there is an example of rejecting a user based on
certain criteria.  With a little bit of putting the pieces together, the
following should work:

DEFAULT Huntgroup-Name != "admin", Auth-Type := Reject

  Which will reject everyone who doesn't match the criteria in the
huntgroups file.  If you want something more complicated, you will need
a more complicated configuration.

  Part of the issue is that there is no one place which will give you
the exact configuration you need to solve the problem.  Instead, the
documentation describes how to solve problems, and it's up to you to put
the pieces together.

  Alan DeKok.
--       - The web site of the book - The blog

More information about the Freeradius-Users mailing list