Devices in more than one huntgroup

Frank Ranner frank.ranner at gmail.com
Fri Aug 19 10:34:38 CEST 2011 


On 19/08/2011, at 4:59 PM, Jan.Weiss at t-systems.com wrote:

>> Hi,
>> 
>> I have a little problem with devices in multiple huntgroups.
>> By now i kno that this is not possible (rtfm helped ;-)
>> 
>> What i wanted to do is the following:
>> 
>> Two Teams, but with diffenrent rights.
>> 
>> Users:
>> ====================
>> DEFAULT Auth-Type := LDAP, Huntgroup-Name == "nexus", LDAP-Group == "<Team-1-Group>"
>>       Login-Service = Telnet,
>>       Cisco-AVPair = "shell:roles*\"network-admin\" \"vdc-admin\""
>> 
>> DEFAULT Auth-Type := LDAP, Huntgroup-Name == "readonly-nexus", LDAP-Group == "<Team-2-Group>"
>>       Login-Service = Telnet,
>>       Cisco-AVPair = "shell:roles*\"network-operator\" \"vdc-operator\""
>> 
>> Huntgroups:
>> ====================
>> readonly-nexus NAS-IP-Address == 192.168.11.123
>> Nexus              NAS-IP-Address == 192.168.11.123
>> 
>> 
>> Since only the first match within the huntgroups is checked, team-2 always gets "access-reject".
>> 
>> 
>> For checking only the NAS-IP-Adress makes sense in our environment.
>> I already found a hint to use rlm-passwd, but i can?t get this run.
>> 
>> So i tried the following:
>> 
>> =======================
>> Users:
>> DEFAULT Auth-Type := LDAP, Huntgroup-Name == "nexus", My-Device-Group "Nexus-readonly", LDAP-Group == "<Team-2-Group>"
>>       Login-Service = Telnet,
>>       Cisco-AVPair = "shell:roles*\"network-operator\" \"vdc-operator\""
>> 
>> modules/passwd:
>> passwd Groups_local {
>>       filename = /etc/raddb/groups_local
>>       format = "My-Device-Group:*NAS-IP-Address"
>>       hashsize = 50
>>       ignorenislike = no
>>       allowmultiplekeys = no
>>       delimiter = ":"
>> }
>> 
>> groups_local:
>> Nexus-readonly:192.168.11.123
>> 
>> dictionary:
>> ATTRIBUTE       My-Device-Group         3000    string
>> 
>> =======================
>> 
>> Groups_local was placed in authorize section, after preprocess.
>> 
>> Debug shows:
>> 
>> Ready to process requests.
>> rad_recv: Access-Request packet from host 192.168.11.123 port 48910, id=20, length=62
>>       User-Name = "test"
>>       User-Password = "test"
>>       NAS-Port-Type = Virtual
>>       NAS-Port = 3000
>>       NAS-IP-Address = 192.168.11.123
>> +- entering group authorize {...}
>> ++[preprocess] returns ok
>> ++[groups_local] returns notfound
>> 
>> Any Idea?
>> Or is there a big bug in my config (and my mind)?
>> Thanks!
>> 
>> Jan
> 
> Does nobody has an idea what i´m doing wrong?
> Or any idea how i could realize this?
> 
> Thanks a lot!
> 
> Jan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

DEFAULT.    Huntgroup-Name == "nexus",LDAP-Group == "nexus_RO"
...

DEFAULT.    Huntgroup-Name == "nexus",LDAP-Group == "nexus_RW"
...

Add your users to groups to suit. While devices can only be in one group, users can be in many.

More information about the Freeradius-Users mailing list