NAS-restricted users
brent s.
bts at square-r00t.net
Wed May 9 23:06:34 CEST 2018
On 05/09/2018 04:35 PM, Alan DeKok wrote:
> On May 9, 2018, at 2:42 PM, brent s. <bts at square-r00t.net> wrote:
>> Oops, sorry - I meant the %{...} dynamic string expansions. In other
>> words, based on the above it would seem I can do this (pardon the
>> line breaking):
>
> The filter is expanded dynamically. You can put anything you want in it, so long as the attribute exists.
>
>> filter=(&(cn=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=ou=%{NAS-Identifier},ou=Groups,dc=domain,dc=tld))
>> correct?
>
> That should be fine.
>
>>>> 3.) Is there a better way to do this (preferably without duplicating NAS
>>>> entries)? Ideally without using huntgroups or the like, which is how I
>>>> usually see this sort of functionality achieved.
>>>
>>> LDAP groups are by far and away the best solution.
>>>
>>
>> Looks like groups would need to be the way to go, yeah.
>>
>> The above, if correct, would also work with dynamic-clients as well, yes?
>
> No. Dynamic clients are only matched by source IP. You can't look at the packet contents.
>
> That's changed in v4. v4 supports connection-based clients. i.e. different shared secrets for each machine behind a NAT gateway.
>
> v4 isn't released yet, though. You can try it, and if it works, that's nice. But if anything goes wrong, we still recommend using v3.
>
> Alan DeKok.
Thanks again, Alan. That answers all the questions I had. You've been a
big help.
--
brent saner
https://square-r00t.net/
GPG info: https://square-r00t.net/gpg-info
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 898 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180509/749b3530/attachment.sig>
More information about the Freeradius-Users
mailing list