how to organize groups of users getting access to groups of servers

Jan-Frode Myklebust janfrode at tanso.net
Tue Mar 25 20:07:10 CET 2014


I want to use freeradius to authenticate different groups of users (from
LDAP) to sets of network devices, potentially with different access
levels, but have a bit hard time understanding how this is supposed to
be configured. Would be nice with some advice..

What I have so far is:

# Give ldap group "firewall" super-user privilege on juniper firewalls:
DEFAULT Ldap-Group == "cn=firewall,cn=groups,cn=accounts,dc=example,dc=com"
	Auth-Type := LDAP
	Juniper-Local-User-Name := "super-users",

# Give ldap group "netadmin" "enable" access on cisco routers:
DEFAULT Ldap-Group == "cn=netadmin,cn=groups,cn=accounts,dc=example,dc=com"
	Auth-Type := LDAP
	cisco-avpair = "shell:priv-lvl=15"

But this doesn't work for users that are member of both groups, so 
I need to say that the first rule is limited to a set of juniper
devices, and the second is limited to a set of cisco devices.

What's the strategy we should use for expressing this? Is it possible
without having to specify one rule for each NAS-IP-Address? I.e. being
able to do some kind og grouping of clients to match on would be very
helpful..


  -jf


More information about the Freeradius-Users mailing list