Per device/user attributes
tnt at kalik.net
Thu Aug 28 15:56:14 CEST 2008
This is easier in users file. In sql you can use groups and have customer
router IP as NAS-IP-Address for customer group and your router IP for
core group in radgroupcheck. In radgroupreply you shoulf return Service
-Type and priv level (1 for core and 15 for customer).
If there several tech levels, groups should be level1customer, level1core
etc. If this is arrangement for multiple devices you should group
NAS-IP-addresses in hunthroups and use Huntgroup-Name in sql groups.
Kalik Informatika ISP
Dana 28/8/2008, "Gene Hinds" <Gene.Hinds at birch.com> piše:
>I have recently installed freeradius and set it up to use a mysql
>database which will store username, passwords and attributes. My current
>goal is to limit user access and privileges into Cisco, and other types,
>of routers when support personnel SSH/telnet into them. I currently have
>the general access working well enough but I am having problems in
>figuring out how to do something I thought would be simple.
> I am trying to determine how to have freeradius respond with
>different attributes for a user depending on what device he telnets
>into. If he is a level 1 tech and telnets into a customer router I want
>him to have admin rights but if he telnets into a Core router I want him
>to only have Cisco level 1 access. Since these are naturally different
>attributes the response from freeradius needs to be different depending
>on the routers sending the request. From reading it seems this is
>possible with some rules in possibly the "radcheck" table but I cannot
>fully grasp the concept.
> Can someone please give me some direct documentation or
>configuration examples on this issue? I seem to know just just enough to
>get myself in trouble so the more detailed the instructions the better.
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users