RADIUS configuration based on source IP

Morty morty at frakir.org
Tue Aug 30 18:21:12 CEST 2011


I have a variety of Cisco devices that require mutually incompatible
values in a certain RADIUS attribute, Cisco-AVPair.  The way I have
dealt with this in the past is with huntgroups -- I assign our
engineer group on huntgroup1 to have Cisco-AVPair set to
shell:roles=network-admin, while by default, the engineer group gets
shell:priv-lvl=15.  So far, so good.  Problem is that we have another
new kind of Cisco device that achieves engineer read-write with
Cisco-AVPair set to shell:roles*admin.  I figured that I would just
set up another huntgroup, but this device apparently also doesn't set
NAS-IP-Address or NAS-Identifier, so the usual huntgroup mechanism
doesn't work.

My production environment currently uses Cistron.  But I'm planning to
switch to freeradius.  Unfortunately, it looks to me like the same
issue applies to freeradius.

Help?  Is there any way to make a distinction between devices in the
config without using huntgroups based on NAS-IP-Address or
NAS-Identifier?

Thanks!

[I sent a very similar message to the cistron mailing list, BTW.  I'm
looking for a solution for either program.]

- Morty



More information about the Freeradius-Users mailing list