Groups of NASs by IP
Leighton Man
l.j.man at hud.ac.uk
Wed Nov 25 13:29:07 CET 2009
> I used to use huntgroups to do this, however recently
> discovered in the mailing list archives that the clients.conf
> file can be used to better effect with grouping:
> ----
> client 2.3.4.0/24 {
> shortname = switch
> secret = blar
> }
> client 3.4.5.0/24 {
> shortname = switch
> secret = hoot
>
> vendor = allied-telesis
> }
> client 1.2.3.0/28 {
> shortname = console
> secret = honk
> }
> ----
>
> Then in your virtual server you can use something like:
> ----
> authorize {
>
> ....
>
> update request {
> # NAS-Vendor is a local custom dict addition
> NAS-Vendor := "%{client:vendor}"
> NAS-Identifier := "%{client:shortname}"
> }
>
> ....
>
> files
>
> ....
>
> }
> ----
>
> Your 'users' file then has:
> ----
> DEFAULT NAS-Identifier == switch, NAS-Vendor ==
> allied-telesis, LDAP-Group == netref
> Service-Type = Administrative-User DEFAULT
> NAS-Identifier == switch, LDAP-Group == netref
> Service-Type = NAS-Prompt-User, Cisco-AVPair =
> "shell:priv-lvl=15"
> DEFAULT NAS-Identifier == switch, Auth-Type := Reject
> ----
>
> You can actually add *anything* to the client subsections
> ('shortname'
> and 'secret' are the only FreeRADIUS variables in there, the 'vendor'
> bit is not known to FreeRADIUS) and FreeRADIUS will simply
> ignore it but it is accessible via '%{client:NAME}'.
>
> The advantage with this approach is that you are doing the
> NAS grouping in the clients.conf file rather than potentially
> duplicating it in the 'hints' and/or huntgroups file.
>
> Cheers
>
Many many thanks for this. Strangely enough, I already have the major groups in clients.conf for other reasons and the ultimate goal is to control logins on our cisco infrastructure and thus retire ACS. You've given me a lot of help.
Thanks,
Leighton
---
This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability.
More information about the Freeradius-Users
mailing list