Devices in more than one huntgroup

Jan.Weiss at t-systems.com Jan.Weiss at t-systems.com
Fri Aug 19 08:59:05 CEST 2011 

>Hi,
>
>I have a little problem with devices in multiple huntgroups.
>By now i kno that this is not possible (rtfm helped ;-)
>
>What i wanted to do is the following:
>
>Two Teams, but with diffenrent rights.
>
>Users:
>====================
>DEFAULT Auth-Type := LDAP, Huntgroup-Name == "nexus", LDAP-Group == "<Team-1-Group>"
>        Login-Service = Telnet,
>        Cisco-AVPair = "shell:roles*\"network-admin\" \"vdc-admin\""
>
>DEFAULT Auth-Type := LDAP, Huntgroup-Name == "readonly-nexus", LDAP-Group == "<Team-2-Group>"
>        Login-Service = Telnet,
>        Cisco-AVPair = "shell:roles*\"network-operator\" \"vdc-operator\""
>
>Huntgroups:
>====================
>readonly-nexus NAS-IP-Address == 192.168.11.123
>Nexus              NAS-IP-Address == 192.168.11.123
>
>
>Since only the first match within the huntgroups is checked, team-2 always gets "access-reject".
>
>
>For checking only the NAS-IP-Adress makes sense in our environment.
>I already found a hint to use rlm-passwd, but i can?t get this run.
>
>So i tried the following:
>
>=======================
>Users:
>DEFAULT Auth-Type := LDAP, Huntgroup-Name == "nexus", My-Device-Group "Nexus-readonly", LDAP-Group == "<Team-2-Group>"
>        Login-Service = Telnet,
>        Cisco-AVPair = "shell:roles*\"network-operator\" \"vdc-operator\""
>
>modules/passwd:
>passwd Groups_local {
>        filename = /etc/raddb/groups_local
>        format = "My-Device-Group:*NAS-IP-Address"
>        hashsize = 50
>        ignorenislike = no
>        allowmultiplekeys = no
>        delimiter = ":"
>}
>
>groups_local:
>Nexus-readonly:192.168.11.123
>
>dictionary:
>ATTRIBUTE       My-Device-Group         3000    string
>
>=======================
>
>Groups_local was placed in authorize section, after preprocess.
>
>Debug shows:
>
>Ready to process requests.
>rad_recv: Access-Request packet from host 192.168.11.123 port 48910, id=20, length=62
>        User-Name = "test"
>        User-Password = "test"
>        NAS-Port-Type = Virtual
>        NAS-Port = 3000
>        NAS-IP-Address = 192.168.11.123
>+- entering group authorize {...}
>++[preprocess] returns ok
>++[groups_local] returns notfound
>
>Any Idea?
>Or is there a big bug in my config (and my mind)?
>Thanks!
>
>Jan

Does nobody has an idea what i´m doing wrong?
Or any idea how i could realize this?

Thanks a lot!

Jan

More information about the Freeradius-Users mailing list