let radius distinguish more cases

tnt at kalik.net tnt at kalik.net
Tue Oct 28 10:56:42 CET 2008


>I have a question to understanding  better radius.
>For this i make a simple example-scenario :
>
>I want to use my radius for 2 things :
>
>1. wireless-access for laptops with machine authentication over a
>wireless switch with ip 1.1.1.1
>2. authentication for the login to my switches for some admin-users
>

Create 2 ldap instances.

>My machines (case 1) are in a samba-domain and saved in a openldap-DB
>in the tree :

ldap ldap1 { ... with this:

>basedn = "ou=samba-machines,dc=sb-brixen,dc=it"
>
>My users (case 2), where i select my admins with a ldap-filter are
>also in an openldap-dB in the tree:

and ldap ldap2 with this:

>basedn = "ou=users,dc=sb-brixen,dc=it"
>

>How and where i distinguish this 2 cases?

You can use unlang. ldap1 requests will be coming from 1.1.1.1 and won't
have Service-Type in them (that will be only for admin requests):

if (NAS-IP-Address == 1.1.1.1 && !Service-Type) {
     ldap1
}
else {
     ldap2
}

Put that in authorize (default virtual server) instead of ldap entry.
Don't bother with forcing auth type ldap - let pap module sort out
authentication.

>In  clients.conf i have defined my switches and my network.
>
>For the users-file i have seen som examples like :
>DEFAULT Huntgroup-Name = "vpn-pix",Auth-Type := ldap
>
>But where i define "Huntgroup-Name = "vpn-pix"" is this the normal
>name in the client.conf  ?
>

You define huntgroups in - huntgroups file (raddb/huntgroups). I don't
think you need them. You would use them if some admins can have access
to one group of devices and not to another.

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list