Groups of NASs by IP
Alexander Clouter
alex at digriz.org.uk
Wed Nov 25 12:36:55 CET 2009
Leighton Man <l.j.man at hud.ac.uk> wrote:
>
> I would like to group NASs by ip address but as I have a few hundred,
> I don't want to maintain a list.
>
> Can I configure ip address ranges in huntgroups eg. Group1
> NAS-IP-Address == 192.168.1.101 - 105 If not, can I use regular
> expressions?
>
> How else can I do this? What is the best way?
>
I used to use huntgroups to do this, however recently discovered in the
mailing list archives that the clients.conf file can be used to better
effect with grouping:
----
client 2.3.4.0/24 {
shortname = switch
secret = blar
}
client 3.4.5.0/24 {
shortname = switch
secret = hoot
vendor = allied-telesis
}
client 1.2.3.0/28 {
shortname = console
secret = honk
}
----
Then in your virtual server you can use something like:
----
authorize {
....
update request {
# NAS-Vendor is a local custom dict addition
NAS-Vendor := "%{client:vendor}"
NAS-Identifier := "%{client:shortname}"
}
....
files
....
}
----
Your 'users' file then has:
----
DEFAULT NAS-Identifier == switch, NAS-Vendor == allied-telesis, LDAP-Group == netref
Service-Type = Administrative-User
DEFAULT NAS-Identifier == switch, LDAP-Group == netref
Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:priv-lvl=15"
DEFAULT NAS-Identifier == switch, Auth-Type := Reject
----
You can actually add *anything* to the client subsections ('shortname'
and 'secret' are the only FreeRADIUS variables in there, the 'vendor'
bit is not known to FreeRADIUS) and FreeRADIUS will simply ignore it but
it is accessible via '%{client:NAME}'.
The advantage with this approach is that you are doing the NAS grouping
in the clients.conf file rather than potentially duplicating it in the
'hints' and/or huntgroups file.
Cheers
--
Alexander Clouter
.sigmonster says: Your boyfriend takes chocolate from strangers.
More information about the Freeradius-Users
mailing list