Huntgroups and Network of Clients
HRZ Konten
hrzkonten at uni-bonn.de
Thu Mar 12 15:27:52 CET 2009
>> What will be
>> the configuration then?
>>
>> DEFAULT Huntgroup-Name==testldap, Ldap-Group == employee, Auth-Type := Pam
>> Fall-Through = no
>>
>> DEFAULT if (NAS-IP-Address >z.z.z.z && NAS-IP-Address< y.y.y.y) {
>> Auth-Type:= Pam} else
>> {
>>
>> Auth-Type := Reject
>> Reply-Message = "Please call the helpdesk."
>> }
>>
>> Does that make sense?
>>
>>
>
> Not really. Sick to one thing - users file or unlang. I would recommend
> unlang.
I already though about your advice to concetrate at unlang and to check in
sites-enabled/default
---------------------
authorize
{
ldap
if (Ldap-Group == "employee" && NAS-IP-Address == ^131\.(220)\.(1)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$)
{ok} else
if (Ldap-Group == "student" && NAS-IP-Address == ^131\.(220)\.(2)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$)
{ok} else
if (Huntgroup-Name == "testldap" && Ldap-Group == "student" )
{ok} else
.............
else {reject}
Is that right?
Should Auth-Type:=Pam stay then in users?
I read in another post from today "How to allow nas'es to serve only
groups of clients?" that somebody tries to do almost the same with
unlang and SQL-Groups what I'm trying to do with unlang and LDAP-Groups.
It seems that unlang doesn't works with SQL-Groups so could it be that
the same situation ist for LDAP-Groups too?
I still have freeradius 1.1.7 and I would like to do urgent upgrade only
if I can use unlang to check subnets and Ldap-Groups with it. If this is
not possible, I would like to know.
Is there maybe another way to check subnets? Can I user regex for
example in huntgroups? Then I wouldn't need to use unlang and can stay
some more time at my current version of freeradius.
Greets
Meyes
> What you posted is a mixture of both but the essence is OK. Just
> use regex for checking subnets.
>
More information about the Freeradius-Users
mailing list