Accepting all terminal-server logins from a specific unix group
tnt at kalik.net
tnt at kalik.net
Tue Nov 11 11:24:03 CET 2008
>DEFAULT Group == eng, Auth-Type := Accept
>
>I do have "usegroup = yes" set in my radiusd.conf.
>
>Now, just below that, as the final entry, is this:
>
>DEFAULT Auth-Type := Accept
> Extreme-Security-Profile = "port100full
>LOGOFF-PROFILE=port100full;",
> Extreme-Netlogin-Vlan = guest
>
>So, we have both Extreme switches and terminal servers authenticating to
>our radius server. Prior to this attempt I've had individual user
>entries for the terminal servers, of the form:
>
>joeuser Auth-Type := Accept
> Service-Type = Administrative
>
That should be Administrative-User.
>If I add the Service-Type line to my default group line, it breaks
>authentication
That's unlikely. It's authorization attribute - nothing to do with
authentication.
>and also slows it way down, taking about 20-30 seconds.
>
>With the "DEFAULT Group" line by itself, however, *all* users, including
>nonexistent ones, get accepted. This isn't ideal, obviously. I'm also
>concerned that my guest vlan logins may not be making it past that first
>default group entry.
>
>Any ideas how to make this work?
>
Debug (radiusd -X). If a user is not the part of that group that DEFAULT
line shouldn't match.
Ivan Kalik
Kalik Informatika ISP
More information about the Freeradius-Users
mailing list