how to organize groups of users getting access to groups of servers
Jan-Frode Myklebust
janfrode at tanso.net
Tue Mar 25 20:07:10 CET 2014
I want to use freeradius to authenticate different groups of users (from
LDAP) to sets of network devices, potentially with different access
levels, but have a bit hard time understanding how this is supposed to
be configured. Would be nice with some advice..
What I have so far is:
# Give ldap group "firewall" super-user privilege on juniper firewalls:
DEFAULT Ldap-Group == "cn=firewall,cn=groups,cn=accounts,dc=example,dc=com"
Auth-Type := LDAP
Juniper-Local-User-Name := "super-users",
# Give ldap group "netadmin" "enable" access on cisco routers:
DEFAULT Ldap-Group == "cn=netadmin,cn=groups,cn=accounts,dc=example,dc=com"
Auth-Type := LDAP
cisco-avpair = "shell:priv-lvl=15"
But this doesn't work for users that are member of both groups, so
I need to say that the first rule is limited to a set of juniper
devices, and the second is limited to a set of cisco devices.
What's the strategy we should use for expressing this? Is it possible
without having to specify one rule for each NAS-IP-Address? I.e. being
able to do some kind og grouping of clients to match on would be very
helpful..
-jf
More information about the Freeradius-Users
mailing list