NAS-restricted users

Alan DeKok aland at deployingradius.com
Wed May 9 22:35:02 CEST 2018


On May 9, 2018, at 2:42 PM, brent s. <bts at square-r00t.net> wrote:
> Oops, sorry - I meant the %{...} dynamic string expansions. In other
> words, based on the above it would seem I can do this (pardon the
> line breaking):

  The filter is expanded dynamically.  You can put anything you want in it, so long as the attribute exists.

> filter=(&(cn=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=ou=%{NAS-Identifier},ou=Groups,dc=domain,dc=tld))
> correct?

  That should be fine.

>>> 3.) Is there a better way to do this (preferably without duplicating NAS
>>> entries)? Ideally without using huntgroups or the like, which is how I
>>> usually see this sort of functionality achieved.
>> 
>>  LDAP groups are by far and away the best solution.
>> 
> 
> Looks like groups would need to be the way to go, yeah.
> 
> The above, if correct, would also work with dynamic-clients as well, yes?

  No.  Dynamic clients are only matched by source IP.  You can't look at the packet contents.

  That's changed in v4.  v4 supports connection-based clients.  i.e. different shared secrets for each machine behind a NAT gateway.

  v4 isn't released yet, though.  You can try it, and if it works, that's nice.  But if anything goes wrong, we still recommend using v3.

  Alan DeKok.




More information about the Freeradius-Users mailing list