Device specific Access-Accept attributes and granular user group control
Alan DeKok
aland at deployingradius.com
Fri Feb 5 09:00:02 CET 2010
Matt Hite wrote:
> - Different brands of gear should get different VSAs and/or general
> attributes returned in Access-Accept messages. For example, if I log
> in from a Cisco device, I should get a different RADIUS attribute sent
> back than when logging in from a F5 or a NetScreen.
It's not well known, but the configuration files can be used as a
simple database. Any "well formed" text will be accepted, and can be
lookup up later. e.g.:
client foo {
ipaddr = ...
secret = ...
myfield = cisco
..
}
Then when processing a packet:
if ("%{client:myfield}" == "cisco") {
...
}
You can define your own data, and put each device into it's own
"group", simply by adding a field to each "client" entry. Then, return
the appropriate attributes for each type of client.
> - Some users can log into certain groups of devices, others should not
> be able to
Use the same thing, but also using "groups" for the users.
client foo {
...
class = foo
}
Then in a processing section (authorize, etc.)
if ((Group == "limited") && ("%{client:class}" != "foo")) {
reject
}
If you don't want "unix" groups, see "man rlm_passwd".
Alan DeKok.
More information about the Freeradius-Users
mailing list