Accept authentication from a list of equipments

tnt at kalik.co.yu tnt at kalik.co.yu
Sat Jul 21 11:33:38 CEST 2007


Use attr_rewrite in pre-proxy section of radiusd.conf on the proxy to
append "Dev" and "Prod" to Called-Station-Id. Then use regexp check
in huntgroups to test for appended strings.

Ivan Kalik
Kalik Informatika ISP


Dana 21/7/2007, "nicolaskarp at free.fr" <nicolaskarp at free.fr> piše:

>
>
>Yes I know but how ? It's not a simple equipment, it's a network
>
>192.168.0.0 / 24 : Users1
>192.168.1.0 / 24 : Users2
>10.0.0.0 / 8 : Users1
>....... (and other networks : 1800 equipments)
>
>If i make this with the huntgroupfile,  i  will  type :
>
>#NAS1 Equipment (Ldap Group :  Dev-Equipment)
>NAS1 NAS-IP-ADDRESS = 192.168.0.1
>NAS1 NAS-IP-ADDRESS = 192.168.0.2
>NAS1 NAS-IP-ADDRESS = 192.168.0.3
>NAS1 NAS-IP-ADDRESS = 192.168.0.4
>....
>....
>NAS1 NAS-IP-ADDRESS = 192.168.0.254
>
>#NAS2 Equipment ( Ldap Group : Prod-Equipment)
>NAS2 NAS-IP-ADDRESS = 192.168.1.1
>NAS2 NAS-IP-ADDRESS = 192.168.1.2
>....
>....
>NAS1 NAS-IP-ADDRESS = 192.168.1.254
>etc..
>
>I can't type :
>NAS2 NAS-IP-ADDRESS = 192.168.1.0/24 ?
>
>
>So how I can make the difference between the devices (==> Authentication with an
>other Ldap Group) ?
>
>
>Thanks
>
>Nicolas.
>
>tnt at kalik.co.yu wrote:
>> Try Called-Station-Id.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>>
>> Dana 20/7/2007, "nicolaskarp at free.fr" <nicolaskarp at free.fr> pi�e:
>>
>>> Hello Everybody,
>>>
>>>
>>> We have several network equipments with radius athentication. We want to
>limit
>>> the access to several administrators. We use a radius-proxy and a radius
>server
>>> with a LDAP base.
>>>
>>>
>>> For example :
>>>
>>>
>>> We have two NAS : NAS1 and NAS2
>>> Two groups of users USERS1 and USERS2 in the LDAP base. USERS1 can access to
>>> NAS1 and USER2 can access to NAS2.
>>>
>>>
>>> Proxy configuration :
>>>
>>> ** clients.conf **
>>>
>>> NAS1 {
>>> hostname = NAS1
>>> secret =  NAS1_SECRET
>>> }
>>>
>>> NAS2 {
>>>  hostname = NAS2
>>>  secret = NAS2_SECRET
>>> }
>>>
>>> ** proxy.conf **
>>>
>>> realm null {
>>>  type = radius
>>>  authhost = radius_server
>>>  accthost = radius_server
>>>  secret = RADIUS_SECRET
>>> }
>>>
>>>
>>> Radius_configuration :
>>>
>>> ** HUNTGROUP **
>>>
>>> cisco NAS-IP-ADDRESS = IP_PROXY
>>>
>>> ** USERS **
>>>
>>> DEFAULT Huntgroup-Name == cisco, instance_openldap-Ldap-Group == ??? USERS1
>or
>>> USER2 ???
>>> # It's USERS1 for NAS1 and USER2 for NAS2, but the proxy rewrite the
>>> NAS_IP_Address by its address :( I can't differenciate the NAS_IP because
>it's
>>> the PROXY IP.
>>>
>>>
>>> How can I do differenciate these equipments ?  For information,  My
>equipments
>>> are Cisco equipment.
>>>
>>>
>>> Thanks for your assistance !
>>>
>>> Nicolas.
>>> -
>>> List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
>>>
>>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>>
>
>- 
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>




More information about the Freeradius-Users mailing list