> > > > On Fri, 7 Jan 2005, Dustin Doris wrote: > > > >> Maybe you can do groups. For example, setup an unlimited group > >> and a read_only group. Then put the users into the appropriate group. > >> > >> Have your users file say something like. > >> > >> DEFAULT Huntgroup-Name == Juniper, Group == "unlimited" > >> Juniper-Local-User-Name = "UNLIMITED" > >> > >> DEFAULT Huntgroup-Name == Juniper, Group == "read_only" > >> Juniper-Local-User-Name = "READ_ONLY" > > > > This seems like the answer, but I am again being stupid and must be missing > > something. When I try to login now, I get authenticated, but the Attributes > > never get sent back. Here is what I have defined: > > ---------------------------------------------------------------- > > DEFAULT Group == "J-UNRESTRICTED", Huntgroup-Name == JUNIPER > > Juniper-Local-User-Name = "UNRESTRICTED", > > Fall-Through = Yes > > > > DEFAULT Group == "R-UNRESTRICTED", Huntgroup-Name == RIVERSTONE > > Riverstone-User-Level = 15, > > Fall-Through = Yes > > > > jfeger Auth-Type = System > > Group = "J-UNRESTRICTED" > > > > -------------------------------------------------------------------- > > > > In the huntgroups file: > > JUNIPER NAS-IP-Address == x.x.x.x (I took the IP out in this email) > > > > -------------------------------------------------------------------- > > > > So, when I ssh to the IP of the NAS box and attempt to login, I get > > authenticated, but none of the attributes are sent back: > > > > > > rlm_realm: No '@' in User-Name = "jfeger", looking up realm NULL > > rlm_realm: No such realm "NULL" > > modcall[authorize]: module "suffix" returns noop for request 0 > > rlm_eap: No EAP-Message, not doing EAP > > modcall[authorize]: module "eap" returns noop for request 0 > > users: Matched jfeger at 34 > > modcall[authorize]: module "files" returns ok for request 0 > > modcall: group authorize returns ok for request 0 > > rad_check_password: Found Auth-Type System > > auth: type "System" > > Processing the authenticate section of radiusd.conf > > modcall: entering group authenticate for request 0 > > modcall[authenticate]: module "unix" returns ok for request 0 > > modcall: group authenticate returns ok for request 0 > > Login OK: [jfeger] (from client bb-stlc.jp-01 port 0) > > Sending Access-Accept of id 10 to X.X.X.X:2315 > > Finished request 0 > > > > > > So, what am I missing, or have out of sequence? > > I have tried taking Fall-Through off, I have tried putting the Huntgroup > > before the Group....etc... > > > > Thanks, > > James > > > > >
I think that you can't put the group a user is in in the users file. I would suggest putting your users and groups into some type of backend like mysql or ldap. I believe you could also get what you want in the password module, with something like what is in the etc_group module in the default radiusd.conf file. Or you can use the unix module and store all your users and groups in /etc/passwd, /etc/shadow, /etc/group. That would mean having local users on that machine, however. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html