One user - Different Service Type depending on NAS
Alan DeKok
aland at deployingradius.com
Mon Oct 13 14:24:45 CEST 2008
Mats Blomgren B wrote:
> 3 of the users should have full access (read/write) to the network (94
> Extreme Switches). This is straight forward.
> The other 3 should have read/write to about 80 switches and read only to
> the last 14.
Put the users into groups. Put the NASes into groups. Apply policies
based on group membership.
> I understand that I can group devices in huntgroups and users in groups
> and then control the access.
Yes. However, huntgroups may not be the best way to handle this.
> The problem I have is that I don't know how to give a certain user a
> specific "Service-Type" depending on the NAS he/she tries to connect to.
> I want the Service Type do differ for certain users depending on the NAS.
Don't. Do *group* checking.
if ((Packet-Src-IP-Address == 1.2.3.4) || ... # 80 times
update request {
NAS-Group = "one" # define this in "dictionary"
}
}
elsif ((Packet-Src-IP-Address == 2.3.4.5) || ... # 14 times
update request {
NAS-Group = "two"
}
}
Put the users into similar groups. Put them into groups called
"admin", "some", or "readonly".
if (User-Group == "admin") {
update reply {
Service-Type = Administrative-User
}
}
elsif ((User-Group == "some") && (NAS-Group == "one")) {
update reply {
Service-Type = Administrative-User
}
}
else {
update reply {
Service-Type = Login-User
}
}
Alan DeKok.
More information about the Freeradius-Users
mailing list