Huntgroups with NAS-Port-Id or NAS-Port

Alan DeKok aland at deployingradius.com
Fri Oct 18 17:30:19 CEST 2019


On Oct 18, 2019, at 11:13 AM, Jan Hugo Prins <jhp at jhprins.org> wrote:
> 
> What I want to do is differentiate in what to send to a users based on
> his authentication and huntgroup.

  No.  What I'm saying is that huntgroups are the wrong solution.  The huntgroup functionality is limited.  It doesn't have the full expressive power of generic unlang statements.

> This works fine, except for the fact that I can't select the proper
> huntgroup at the moment on this specific NAS because I need to
> differentiate on the port the client is connected on. What I could do,
> is update the huntgroup in the auth-detail using a policy with unlang:
> 
> update_Huntgroup {
>     if (huntgroup == "ers5900" and NAS-Port == "3/1") {
>         update request {
>             &huntgroup := "ers5900edge"

  No.  You can't change the Huntrgoup attribute.  It is defined to work with the huntgroup file.

> But then I also have to create a whole lot of code to make the correct
> decisions. Better just fill the huntgroup file with enough lines to make
> the correct decision.

  That makes no sense.  Why not just do something simpler?

  Edit raddb/dictionary to create a string attribute "My-Policy".

  Then write rules in unlang, instead of in the huntgroup file:

	if (NAS-Port > 15 && NAS-Port < 32) {
		update request {
			My-Policy := "foo"
		}
	}

  And then check the My-Policy attribute later.

  There is nothing which *forces* you to use huntgroups.  The server has multiple methods of creating policies for this reason.  If huntgroups aren't the right approach, use something else.  Don't try to force the subject.

  You're trying to hammer a round peg into a square hole.  Don't do that.

  Alan DeKok.




More information about the Freeradius-Users mailing list