Default Authentication

tnt at kalik.co.yu tnt at kalik.co.yu
Fri May 4 11:00:20 CEST 2007


Yes, they can. They are not restricted in any way. Group fw-group is
restricted only to 10.0.0.1 and 10.0.0.2. If you want to stop other
groups from logging in there make huntgroups like this:

fw-pix   NAS-IP-Address == 10.0.0.1
            Group = fw-group

fw-pix   NAS-IP-Address == 10.0.0.2
            Group = fw-group

Router groups will then be able to login elsewhere but not on 1.0.0.1 and
10.0.0.2

Ivan Kalik
Kalik Informatika ISP

Dana 4/5/2007, "Norman Zhang" <norman.zhang at gmail.com> piše:

>Alan DeKok wrote:
>>   If you want only groups A and B to log in, do:
>>
>> DEFAULT Group == A, Auth-Type = System
>> 	...
>>
>> DEFAULT Group == B, Auth-Type = System
>> 	...
>>
>> DEFAULT Auth-Type := Reject
>
>Thanks. Here's what I done.
>
>DEFAULT Group == router-ro, Auth-Type = System
>	Service-Type = NAS-Prompt-User,
>	cisco-avpair := "shell:priv-lvl=7"
>
>DEFAULT Group == router-rw, Auth-Type = System
>	Service-Type = NAS-Prompt-User,
>	cisco-avpair := "shell:priv-lvl=15"
>
>but I can't get restriction for another group "fw-group" to work.
>
>*added to users*
>DEFAULT Group == fw-group, Auth-Type = System
>         Huntgroup-Name == "fw-pix",
>         Service-Type = NAS-Prompt-User,
>         cisco-avpair := "shell:priv-lvl=15"
>
>*added to huntgroups*
>fw-pix NAS-IP-Address == 10.0.0.1
>fw-pix NAS-IP-Address == 10.0.0.2
>
>Group "router-ro" and "router-rw" still can login to the PIX. Can you
>give me few more pointers?
>
>Norman
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>




More information about the Freeradius-Users mailing list