Private attribute assigned in clients.conf and checked in huntgroups ?
Fred MAISON
fred.maison at gmail.com
Mon May 3 19:02:29 CEST 2010
Hello freeradius-users,
In many cases, when there is no attributes in request to differenciate
the kind of NAS and if we need to build a reply with NAS-Dependant
(AVPAIR) attributes, the only solution is to affect the huntgroup by
checking again the NAS-IP-Address in preprocessing.
I would like to know if there is anyway to create a private attribute in
clients.conf to assign NAS type for Huntgroup selection ?
I made some checks but My-Nas-Type variable does not seems to be
accessible from within huntgroups as a checkItem.
As we have to manage more than 1000 various NAS, the idea is to have a
configured value in clients.conf to distinguish between different
kinds/manufacturers/models of NAS, to avoid later NAS-IP-Address check
again (it's already done in clients.conf) in Huntgroups, and to be able
to assign the HuntGroup by testing this private attribute.
For example :
dictionnary :
ATTRIBUTE My-Nas-Type 3000 string
clients.conf :
client c1 {
ipaddress = 10.1.1.1
My-Nas-Type = cisco
nastype = cisco
}
client c2 {
ipaddress = 10.1.1.2
My-Nas-Type = cisco
nastype = cisco
}
client c3 {
ipaddress = 10.2.2.2
My-Nas-Type = netscreen
nastype = other
}
client c4 {
ipaddress = 10.3.3.3
My-Nas-Type = provider1
nastype = other
}
huntgroups :
cisco Service-Type == Login-User, My-Nas-Type == "cisco"
netscreen Service-Type == Login-User, My-Nas-Type == netscreen
provider1 Service-Type == Login-User, My-Nas-Type == "provider1"
ciscoByIP NAS-IP-Address == 10.1.1.1, Service-Type == Login-User
ciscoByIP NAS-IP-Address == 10.1.1.2, Service-Type == Login-User
netscreenByIP NAS-IP-Address == 10.2.2.2, Service-Type == Login-User
p1ByIP NAS-IP-Address == 10.3.3.3, Service-Type == Login-User
....
users :
DEFAULT Huntgroup-Name == ciscogrp, Ldap-Group == "CiscoRW"
Cisco-AVPair := "shell:priv-lvl=15"
DEFAULT Huntgroup-Name == netscreen Ldap-Group == "All-Admin-RW"
NS-Admin-Privilege = "All-VSYS-Root-Admin"
DEFAULT Huntgroup-Name == provider1 Ldap-Group == "P1RW"
#Old config
DEFAULT Huntgroup-Name == ciscoByIP, Ldap-Group == "CiscoRW"
DEFAULT Huntgroup-Name == netscreenByIP, Ldap-Group == "All-Admin-RW"
DEFAULT Huntgroup-Name == p1ByIP, Ldap-Group == "P1RW"
More information about the Freeradius-Users
mailing list