Per device/user attributes
Alan DeKok
aland at deployingradius.com
Thu Aug 28 16:05:29 CEST 2008
Gene Hinds wrote:
> I am trying to determine how to have freeradius respond with
> different attributes for a user depending on what device he telnets
> into.
You key off of the source IP address. See "man unlang"
if (Packet-Src-IP-Address == 1.2.3.4) {
update reply {
Reply-Message := "Foo!"
}
}
...
> If he is a level 1 tech and telnets into a customer router I want
> him to have admin rights but if he telnets into a Core router I want him
> to only have Cisco level 1 access. Since these are naturally different
> attributes the response from freeradius needs to be different depending
> on the routers sending the request. From reading it seems this is
> possible with some rules in possibly the "radcheck" table but I cannot
> fully grasp the concept.
I'm not sure that the SQL schema is up to that task.
> Can someone please give me some direct documentation or
> configuration examples on this issue? I seem to know just just enough to
> get myself in trouble so the more detailed the instructions the better.
What you can do instead is to abstract the privilege level from the
returned attributes. e.g. create a schema with <admin, ip, privilege>
Then do:
update control {
Tmp-String-0 = "%{sql: SELECT foo from bar WHERE user = %{User-Name} ..."
}
switch "%{Tmp-String-0}" {
case low {
update reply {
...
}
}
case high {
update reply {
...
}
}
}
Hope that makes sense.
Alan DeKok.
More information about the Freeradius-Users
mailing list