let radius distinguish more cases

alois blasbichler alois.blasbichler at sb-brixen.it
Tue Oct 28 10:36:41 CET 2008


hello list

I have a question to understanding  better radius.
For this i make a simple example-scenario :

I want to use my radius for 2 things :

1. wireless-access for laptops with machine authentication over a  
wireless switch with ip 1.1.1.1
2. authentication for the login to my switches for some admin-users

My machines (case 1) are in a samba-domain and saved in a openldap-DB  
in the tree :
basedn = "ou=samba-machines,dc=sb-brixen,dc=it"

My users (case 2), where i select my admins with a ldap-filter are  
also in an openldap-dB in the tree:
basedn = "ou=users,dc=sb-brixen,dc=it"

How and where i distinguish this 2 cases?
In the standard configuration, what i have understood radius let try  
the clients a lot of possibilities and i have read its better to not  
restrict the auth-methods.

A possibility to solve my question is to make 2 files under /modules  
like ldap1 and ldap2 for my separate cases - but now my problem :

Where i say that my wireless switch gos to ldap1 (with mschap) and my  
switches (for example all the network 1.1.20.x) gos to ldap2 (with  
ldap-authentication) : in users, or  maybe in  
raddb/sites-available/default

In  clients.conf i have defined my switches and my network.

For the users-file i have seen som examples like :
DEFAULT Huntgroup-Name = "vpn-pix",Auth-Type := ldap

But where i define "Huntgroup-Name = "vpn-pix"" is this the normal  
name in the client.conf  ?

Thank you for a response
luis











More information about the Freeradius-Users mailing list