Plan assignment based on nas and ugroups

Ganga R. Dhungyel grdhungyel at gmail.com
Mon Jun 29 19:17:10 CEST 2020


Thank you, Alan. Few more questions:

Should this be in the Authorize section of the configuration or the Post-Auth section? 

Instead of evaluating. NAS-IP-Address, can we group the NASes in Huntgroups and use the Huntgroup value to do this since we using sql backend for both users and NASes? Tried this but when one user belongs to multiple groups, the group. Chosen is always the first one in the ordered list …it is as if the SQL-Group to Huntgroup-Name mapping in radgroupicheck table is not considered (Group checking is enabled). Maybe I am missing something. I read somewhere that a Fallback needs to be enabled for it to work but not sure if that is the case?

Thanks.

—
GRDhungyel


> On Jun 29, 2020, at 18:03, Alan DeKok <aland at deployingradius.com> wrote:
> 
> On Jun 25, 2020, at 1:07 PM, Ganga R. Dhungyel <grdhungyel at gmail.com> wrote:
>> I am running freeradius-3.0.13-10 with sql backend on centos to authenticate and authorize users based on group membership. Now a new requirement to assign vlan based on group AND nas has come up and I am not sure what is the best way to accomplish this. Need something like: If nas is xyz  and user belong to group A, then reply with vlan id 10, else if nas is abc and user belongs to group  A, reply with vlan 100, else  reply with vlan 200.
> 
>  You can just do this in unlang statements.  If your users are in LDAP, just:
> 
> 	if (NAS-IP-Address == 1.2.3.4 && LDAP-Group == "foo") {
> 		update reply {
> 			Tunnel-Type = VLAN,
> 			Tunnel-Medium-Type = IEEE-802,
> 			Tunnel-Private-Group-Id = "10"
> 		}
> 	}
> 
>  etc.
> 
>> Is using huntgroup and groupcheck the  best way to accomplish this? If so, what all need modifications. Example would be great. If not, what would be a better solution considering that I am using realm sql.
>> 
>> My apologies if this has been answered before..browsed the list and really could not find the use case described.
> 
>  We don't have documentation which says exactly how to do every possible thing. Instead, we document how the server works.
> 
>  Alan DeKok.
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2440 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20200629/171ebb08/attachment.bin>


More information about the Freeradius-Users mailing list