Accepting all terminal-server logins from a specific unix group

J B Bell cipher at redback.com
Mon Nov 10 20:38:49 CET 2008


Hi folks,

Following the FAQ, I have added a line like this to my users file:

DEFAULT Group == eng, Auth-Type := Accept

I do have "usegroup = yes" set in my radiusd.conf.

Now, just below that, as the final entry, is this:

DEFAULT Auth-Type := Accept
        Extreme-Security-Profile = "port100full
LOGOFF-PROFILE=port100full;",
        Extreme-Netlogin-Vlan = guest

So, we have both Extreme switches and terminal servers authenticating to
our radius server. Prior to this attempt I've had individual user
entries for the terminal servers, of the form:

joeuser   Auth-Type := Accept
        Service-Type = Administrative

If I add the Service-Type line to my default group line, it breaks
authentication and also slows it way down, taking about 20-30 seconds.

With the "DEFAULT Group" line by itself, however, *all* users, including
nonexistent ones, get accepted. This isn't ideal, obviously. I'm also
concerned that my guest vlan logins may not be making it past that first
default group entry.

Any ideas how to make this work?

--JB





More information about the Freeradius-Users mailing list