Unlang authentication help

Ivan Kalik tnt at kalik.net
Fri Jun 26 00:17:23 CEST 2009


>   I'm trying to use unlang to limit LDAP user's access to different
> network
> devices. Here is what I have so far in the site-enable/default:
>
> Auth-Type LDAP {
>                 ldap
>
>                 if(NAS-IP-Address == 10.1.1.1 && LDAP-Group ==
> 'RouterAdmin') {
>                         ok
>                 }
>                 else {
>                         reject
>                 }
>         }
>
>
> Right now that works if your LDAP radiusGroupName = RouterAdmin and you
> are
> trying to connect to 10.1.1.1 but i would like to add NAS-IP-Addresses and
> associate them with a radiusGroupName. This is were I'm having trouble. It
> would be nice it I could just reference a file for the IP's like:
>
> RouterAdminList = /usr/local/etc/raddbd/devices/RouterAdmin
>
> if(NAS-IP-Address == %{RouterAdminList} && LDAP-Group == 'RouterAdmin') {
>
> And have multiple lines.:
>
> if(NAS-IP-Address == %{RouterAdminList} && LDAP-Group == 'RouterAdmin') OR
> if(NAS-IP-Address == %{SwitchAdminList} && LDAP-Group == 'SwitchAdmin') OR
> if(NAS-IP-Address == %{WifiAdminList} && LDAP-Group == 'WifiAdmin') {
>       ok
>                 }
>                 else {
>                         reject
>                 }
>         }
>
> How would i do that? And how would list the IP address in the files?

Use huntgroups (raddb/huntgroups).

if(Huntgroup-Name == "routers" && Ldap-Group == "RouterAdmin") {
     ok
}
else {
     reject
}

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list