Specific, complicated, detailed user rights possibility?
Mart Pirita
mart at e-positive.ee
Fri Aug 28 14:02:34 CEST 2015
Alan DeKok wrote:
> On Aug 27, 2015, at 9:46 AM, Mart Pirita <mart at e-positive.ee> wrote:
>> But we need more detailed setup, for example, the idea is to allow user1 access some switches and disable user1 to access some other switches. And then even more specific rights, for example, switches which user1 can access, he have some switch with read-only and some other switch with read-write rights.
> In general, data goes into databases, and policy rules go into the FreeRADIUS config.
>
> You should put all of these restrictions into an LDAP schema, and then use FreeRADIUS to query that.
But main idea is that ldap just does the authentication yes/no and
that's it, nothing more. Everything else (who can access and with what
rights) is in the radius config only. Is this possible?
>
>> And do it with groups, not using different configuration for every user, for example, so that users are listed in as groups, and these groups are used in access configurations?
> If it's simple, you can put the devices into hunt groups, and the users into ldap groups.
Same question, how to do it without ldap groups?
>
> If it's more complex... there's no simple solution.
>
>> Huntgroups may be the solution, but as far I know, huntgroups are for device, and not for user rights. Also I don't know, can one and same device IP exist in many different huntgroups and can one huntgroup include other huntgroups?
> You can't put hunt groups into other hunt groups.
Ok.
>
--
Mart
More information about the Freeradius-Users
mailing list