catch-all line at the end of users file?

Brian Johnson voyager.106 at gmail.com
Wed Jun 6 16:04:29 CEST 2007 

Hello again all,

Thanks to the folks who responded to my earlier plea with regards to
authenticating many Cisco devices using radius.  I'm trying to weigh
my options and see which direction I want to go.

One Idea I had after sending mail to the list was, have a sort of
"catch-all" line at the end of the users file, so that if the radius
server hears a request from a device where the client-ip-address isn't
specified already in the file, it would look in our custom group file
for authorized users and allow them entry.  Here's an idea of what I'm
thinking:


DEFAULT Auth-Type = Kerberos
        Fall-Through = 1
DEFAULT Client-IP-Address == 10.0.0.60, Huntgroup-Name == group1
DEFAULT Client-IP-Address == 10.0.0.226, Huntgroup-Name == group2
DEFAULT Called-Station-Id == 5551234, Custom-Group == "dept800"
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-Routing = Broadcast-Listen,
        Framed-MTU = 1500,
        Session-Timeout = 28800,
        Idle-Timeout = 28800,
        Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Called-Station-Id == 5551234, Auth-Type := Reject
...
and at the end:
DEFAULT Custom-Group == "routerfolk"
DEFAULT Auth-Type := Reject

My thinking is, if the request comes from a device where the
client-ip-address is specified, then it will let it through.  If it
comes from a device where the client-ip-address is not specified, then
it will hit the next to the last line of the file, check the
custom-group file and see if the user exists in it.  If they do,
they're authenticated on the device.  If they don't exist in the file,
then they'll hit the last line and be rejected.

However, what I've found in practice is, even if a request is heard
from a device where the client-ip-address is specified above, they're
still being rejected by the last line.  Is there any way that I can
tell the last line to reject *only* if there isn't a match previous to
it?

Thanks again for any help!

Brian


-- 
Brian Johnson
"And I will be even more undignified than this, and will be humble in
my own sight." (2 Samuel 6:22)

More information about the Freeradius-Users mailing list