Hiya
Thanks for your help, took me a while to get my head around what you were doing,
hehe ! , i can imagine :) im not a good teacher .
but I have the general gist of it now and a working config.this is the most important :)
much appreciated
Graeme
regards thomas .
On Mon, 19 Jan 2004 16:12:53 +0100 Thomas MARCHESSEAU <[EMAIL PROTECTED]> wrote:
Hi,
Im not sure to understand exactly your request but im selecting the auth via the NAS-IP-Address :
* first the user.conf file , i have created huntgroups (lns, bas, lns-rtc , and even wifi)
- a part of user.conf -
DEFAULT Realm == "XXX.net", Huntgroup-Name == "bas", Autz-Type := "autz.XXX.net"
DEFAULT Realm == "XXX.net", Huntgroup-Name == "lns", Autz-Type := "autz1.XXX.net"
DEFAULT Realm == "XXX.net", Huntgroup-Name == "nas", Autz-Type := "autz2.XXX.net"
DEFAULT Realm == "XXX.net", Huntgroup-Name == "lns-rtc", Autz-Type := "autz.XXX.net"
-end-
* then here comes the huntgroups file :
- a part of huntgroups -
######### BAS #########
bas NAS-IP-Address == xx.124.255.2
# a verif si existe
bas NAS-IP-Address == xx.124.255.128
######### LNS #########
lns NAS-IP-Address == xx.223.42.14
lns NAS-IP-Address == xx.223.238.197
lns-rtc NAS-IP-Address == xx.223.14.226
lns-rtc NAS-IP-Address == xx.115.111.13
# les dupont (supervision Nagios) lns-rtc NAS-IP-Address == 192.168.7.229 lns-rtc NAS-IP-Address == 192.168.7.230
*then your can find a parts of my sql.conf
authorize_check_query = "select USER_ID, USER_LOGIN, \"User-Password\", USER_PWD, ':=' from USER where USER_LOGIN = '%{User-Name}' and USER_ETAT = 'TRUE'"
# utilise pour remonter la variable Post-Auth-Type, en vue de l'utilisation du loadbalancing de LNS
authorize_group_check_query = "select GATTR_ID, USER_LOGIN,GATTR_NOM , GATTR_VALEUR, GATTR_OPERATION \
from USER,GATTR where USER_LOGIN = '%{User-Name}' and GATTR.GROUPE_ID = USER.GROUPE_ID and GATTR_CLTTYPE = '%{Huntgroup-Name}' and GATTR_QUERYTYPE = 'check' "
# remonte les attributs de user
authorize_reply_query = "select UATTR_ID, USER_LOGIN, UATTR_NOM , UATTR_VALEUR, UATTR_OPERATION \
from USER,UATTR where USER_LOGIN = '%{User-Name}' and UATTR.USER_ID = USER.USER_ID and UATTR_CLTTYPE = '%{Huntgroup-Name}'and GATTR_QUERYTYPE = 'reply' "
# remonte les attributs de groupe
authorize_group_reply_query = "select GATTR_ID, USER_LOGIN, GATTR_NOM , GATTR_VALEUR, GATTR_OPERATION \
from USER,GATTR where USER_LOGIN = '%{User-Name}' and GATTR.GROUPE_ID = USER.GROUPE_ID and GATTR_CLTTYPE = '%{Huntgroup-Name}' and GATTR_QUERYTYPE = 'reply' "
}
* and may be you need to have a look on radiusd.conf
authorize {
preprocess
suffix
files
Autz-Type autz.XXX.net {
chap
sql.XXX.net
}
Autz-Type autz.david.cl { chap sql.david.cl }
Autz-Type autz.valerie.cl { chap sql.valerie.cl }
}
ok may be its not clear :/ if you feel it can help you tell me :)
Graeme Hinchliffe wrote:
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htmlHiya I am building a centralised authentication system for our routers, we are using RADIUS (well freeRADIUS :) ) as the authentication and authorization system. Ideally we want to just have one radius server running on the machine that will be responcible for this, but there are several different types of router. So we have people that can enable on router A but not B and vice-versa.
For this to work nicely I need to take into account the NAS IP address from which the auth request is comming and use a lookup in another table to determine the users access level on the router. Is this possible in freeRADIUS without using an external call? I was looking at the sql_xlat call, or am I barking up the wrong tree?
thanks for any help,
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
