Date: Wed, 13 Dec 2006 08:05:32 +0000
From: B Thompson <[EMAIL PROTECTED]>
Subject: Re: Huntgroups, Users and Proxy
To: FreeRadius users mailing list
<freeradius-users@lists.freeradius.org>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
On Tue, Dec 12, 2006 at 04:23:43PM -0500, Walt Reynolds wrote:
I am going in circles here and not getting anywhere. I will try to
describe what I want to do starting with huntgroups.
huntgroup:
All NAS-IP-Address == 10.213.226.1
All NAS-IP-Address == 10.213.226.2
All NAS-IP-Address == 10.213.226.3
All NAS-IP-Address == 192.168.224.5
All NAS-IP-Address == 192.168.224.36
All NAS-IP-Address == 172.213.226.46
Bldg1 NAS-IP-Address == 10.213.226.1
Bldg1 NAS-IP-Address == 10.213.226.2
Bldg1 NAS-IP-Address == 10.213.226.3
Bldg1 NAS-IP-Address == 192.168.224.5
Bldg1 NAS-IP-Address == 192.168.224.36
Bldg2 NAS-IP-Address == 172.213.226.46
You can't have the same IP address in more than one huntgroup - See bug
#233.
http://bugs.freeradius.org/show_bug.cgi?id=233
The solution is to use rlm_passwd instead.
Ok, Thanks for that info. Now lets say I put each NAS in one huntgroup
(I added the extra groups for possibilities.
So lets say I have the following:
UnitA NAS-IP-Address == 10.213.226.1
UnitA NAS-IP-Address == 10.213.226.2
UnitA NAS-IP-Address == 10.213.226.3
UnitB NAS-IP-Address == 192.168.224.5
UnitAB NAS-IP-Address == 172.213.226.46
TypeVPN NAS-IP-Address == 192.168.224.5
TypeGW NAS-IP-Address == 192.168.224.36
So this sets each NAS into a single group. The rest of my question I am
still confused about.
"UnitA" Authenticate with [EMAIL PROTECTED]
or
Authenticate with Null Realm
or
Authenticate [EMAIL PROTECTED]
But NOT
[EMAIL PROTECTED]
"UnitB" Authenticate with [EMAIL PROTECTED]
or
Authenticate with Null Realm
or
Authenticate [EMAIL PROTECTED]
but NOT
[EMAIL PROTECTED]
"UnitAB" Authenticate with [EMAIL PROTECTED]
or
Authenticate with [EMAIL PROTECTED]
or
[EMAIL PROTECTED]
or
Null realm
"TypeVPN" Authenticate ONLY with Null Realm
"TypeGW" authenticate with Null realm or generic.edu
So would I add the following to the users file: (Not sure about UnitAB
and TypeVPN with Fall-Through = No. I think the rest is right though)
DEFAULT Huntgroup-Name == UnitAB, User-Name =~ [EMAIL PROTECTED]",
Proxy-To-Realm := unita.generic.edu
Fall-Through = Yes
DEFAULT Huntgroup-Name == UnitAB, User-Name =~ [EMAIL PROTECTED]",
Proxy-To-Realm := unitb.generic.edu
Fall-Through = Yes
DEFAULT Huntgroup-Name == UnitA, Proxy-To-Realm := unita.generic.edu
Fall-Through = Yes
DEFAULT Huntgroup-Name == UnitB, Proxy-To-Realm := unitb.generic.edu
Fall-Through = Yes
DEFAULT Huntgroup-Name == TypeGW, Proxy-To-Realm := generic.edu
Fall-Through = Yes
DEFAULT Huntgroup-Name == TypeVPN, Proxy-To-Realm := NULL
Fall-Through = No
Then in the proxy.conf
proxy server {
synchronous = no
retry_delay = 5
retry_count = 3
dead_time = 120
default_fallback = yes
post_proxy_authorize = yes
}
realm unita.generic.edu {
type = radius
authhost = radius.unita.generic.edu:1812
accthost = radius.unita.generic.edu:1813
nostrip
}
realm unitb.generic.edu {
type = radius
authhost = radius.unita.generic.edu:1812
accthost = radius.unita.generic.edu:1813
nostrip
}
realm generic.edu {
type = radius
authhost = LOCAL
accthost = LOCAL
strip
}
realm NULL {
type = radius
authhost = LOCAL
accthost = LOCAL
}
realm DEFAULT {
type = radius
authhost = radius.highered.edu:1812
accthost = radius.highered.edu:1812
secret = XXXX
nostrip
}
Thanks. There are so many things our there that I got a little lost. I
guess that is a problem with so many options and ways to do things.
--
Walter Reynolds
Principle Systems Security Development Engineer
Information Technology Central Services
University of Michigan
(734)615-9438
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html