something like huntgroups?

Matt Zagrabelny mzagrabe at
Tue Jul 2 03:30:53 CEST 2013


Our Cisco VPN concentrator is sending some RADIUS attributes in the
request packet and if certain values appear, then I'd like to only
allow a subset of users to login.

I've looked at:

the SQL Huntgroup howto and it seemed close, but the scenario that I
am looking at is slightly different and I am getting mixed up. I am
hoping for some help.

Here is my scenario:

We have a generic VPN profile that we'd like to allow *all* users to
login to - this works well.

When users login to the "secret" profile, then the following VPN
attribute is included in the request:

Vendor-3076-Attr-146 = 0x554d44

The attribute and value are known and constant, thus I can make
decisions on them.

Users who are in the "secret" group should be able to login to *both*
the generic profile (which does not have the Vendor-3076-Attr-146 =
0x554d44 pair) and the "secret" profile, which does have the pair.

If a user is not in the secret group, then their login should fail if
the Vendor-3076-Attr-146 = 0x554d44 pair is in the request.

Thanks for any advice or design input!



More information about the Freeradius-Users mailing list