Multiple switches access + ldap

Ivan Kalik tnt at kalik.net
Tue Mar 25 01:11:54 CET 2008


You group devices in huntgroups and users in groups and than regulate
access. If a user/group should have access only to a group of devices
you add that Huntgroup-Name to the profile. If user/group should have
access only to a single device you add that device NAS-IP-Address to the
profile.

Doing it all in ldap is much more complicated.

Ivan Kalik
Kalik Informatika ISP


Dana 24/3/2008, "julio at pop-pe.rnp.br" <julio at pop-pe.rnp.br> piše:

>Anyone?
>
>by the way, my freeradius version is 2.0.2
>
>> Hello all,
>>
>> I want to know if this kind of answer by RADIUS is possible:
>> I need to authenticate some users for the switches in my network (all from
>> 3com) and the users don't have the same access level in all switches, for
>> example, the user1 has admin access level in SWITCH1 and don't have access
>> for SWITCH2, but the user2 has admin access to both of them.
>>
>> I have a working configuration where a user have the same access level for
>> all switches and in this way I have a LDAP base like this:
>> uid = user1
>> userPassword = teste
>> 3Com-User-Access-Level = 3Com-Administrator
>>
>> I was thinking about change the configuration of my LDAP database creating
>> a child fo each switch that the user has access and in this subtree put
>> the level of access, making the LDAP base 'appear' like this:
>>          uid = user1
>>          userPassword = teste
>>        /                   \
>>  cn = SWITCH1              cn = SWITCH2             .......
>>  3com-level = admin        3com-level = level       .......
>>
>> Is this a good way of doing this? There are another ways? Using this way
>> how can I put the right answer in RADIUS reply?
>>
>> Thanks
>> Julio Andrade
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>




More information about the Freeradius-Users mailing list