How to allow group login on some devices?
Alan DeKok
aland at deployingradius.com
Thu Jul 22 08:35:06 CEST 2010
Martin Whinnery wrote:
> Now, I'd like to set up our switches to use radius to allow our
> technicians to login. And they are all members of an LDAP group. Let's
> call it "cn=techies,ou=groups,dc=example,dc=org". I only want this to be
> the case for some client devices, namely our switches.
>
> Can anyone point me towards the documentation I should have read?
The LDAP-Group attribute will check LDAP group membership.
http://wiki.freeradius.org/Rlm_ldap
You can put switches (or NASes) into groups via the Huntgroup. See
raddb/huntgroups.
Then... combine them. In the "users" file:
DEFAULT LDAP-Group == "techies", Huntgroup-Name != "some-switches",
Auth-Type := Reject
(all on one line)
Alan DeKok.
More information about the Freeradius-Users
mailing list