Assigning Users to Groups Dynamically
J Kephart
jkephart at safetynetaccess.com
Wed Dec 16 22:23:11 CET 2015
Hi!
I've been looking through the wiki, but thus far, I've not found
anything that describes what I'd like to be able to do.
We manage on-site hardware for our clients, and that hardware includes
routers, gateways, switches, etc. What I'd like to be able to do is
assign a user to a group dynamically, based on some identifying
parameter received in the access request, and then have the group's
attributes passed back in the access accept packet.
So, for example, if any user wants to connect to Vendor A's gateway, we
might have a group defined for that type of device containing:
vendor_a_gateway Idle-Timeout = 900
vendor_a_gateway VSA_1 = xxx
vendor_a_gateway VSA_2 = xxx
vendor_a_gateway VSA_3 = xxx
Likewise, for Vendor B, we might have the following:
vendor_b_switch Idle-Timeout = 600
vendor_b_switch VSA_1 = xxx
vendor_b_switch VSA_2 = xxx
vendor_b_switch VSA_3 = xxx
Ultimately, then, if a user logs on to a device that we can categorize
as being Vendor A's gateway, we'd automatically associate that user with
the group "vendor_a_gateway", and so on. In that way, we hope to limit
the number of attributes we need to manage for each user, instead having
a short list of groups with attributes that can be assigned on the fly.
I don't know if I've explained this in a way that makes sense (I hope it
makes sense to someone!), but I wonder if there's a way to do what I've
described.
Hopefully,
Jim
More information about the Freeradius-Users
mailing list