Assigning Users to Groups Dynamically

Matthew Newton mcn4 at leicester.ac.uk
Fri Dec 18 19:05:59 CET 2015 

On Fri, Dec 18, 2015 at 12:36:11PM -0500, Mark Williams wrote:
> I could be very wrong, but it seems like what you really want is
> access defined, not per user, or even user group, but rather by
> device class/group. That has it’s own issues, but… if I were to
> implement something like this in my own environment… I would
> start with records/nodes for the users, some radiusProfiles that
> bundle VSA’s for different classes of devices, and then records
> for the clients themselves, each with a virtual-server attribute
> that matches a virtual-server in FreeRadius. A virtual-server
> specific to that group/class of devices.

> I’m still new to FreeRADIUS (really new), and the above was
> right off the top of my head, so there's surely a better way to
> do it. Actually you don’t even need multiple v-servers, just a

Sounds sensible. But I wouldn't split it into different virtual
servers without a good reason to.

Just need to do two lookups. First, user to hardware type, then
secondly hardware type to group. If you want to fit into the
"traditional" way of doing this you might want to use huntgroups,
otherwise any sort of SQL or LDAP etc database lookup could be
used.

> > So, for example, if any user wants to connect to Vendor A's gateway, we
> > might have a group defined for that type of device containing:
> > 
> > vendor_a_gateway    Idle-Timeout    =    900
> > vendor_a_gateway    VSA_1           =    xxx
> > vendor_a_gateway    VSA_2           =    xxx
> > vendor_a_gateway    VSA_3           =    xxx
> > 
> > Likewise, for Vendor B, we might have the following:
> > 
> > vendor_b_switch     Idle-Timeout    =    600
> > vendor_b_switch     VSA_1           =    xxx
> > vendor_b_switch     VSA_2           =    xxx
> > vendor_b_switch     VSA_3           =    xxx
> > 
> > Ultimately, then, if a user logs on to a device that we can categorize
> > as being Vendor A's gateway, we'd automatically associate that user with
> > the group "vendor_a_gateway", and so on.  In that way, we hope to limit

Yeah, so you're looking up something like the "NAS-IP-Address" in
one table to get "Group", then look up "Group" in another table to
get the reply attributes.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Users mailing list