Hello again all, Thanks to the folks who responded to my earlier plea with regards to authenticating many Cisco devices using radius. I'm trying to weigh my options and see which direction I want to go.
One Idea I had after sending mail to the list was, have a sort of "catch-all" line at the end of the users file, so that if the radius server hears a request from a device where the client-ip-address isn't specified already in the file, it would look in our custom group file for authorized users and allow them entry. Here's an idea of what I'm thinking: DEFAULT Auth-Type = Kerberos Fall-Through = 1 DEFAULT Client-IP-Address == 10.0.0.60, Huntgroup-Name == group1 DEFAULT Client-IP-Address == 10.0.0.226, Huntgroup-Name == group2 DEFAULT Called-Station-Id == 5551234, Custom-Group == "dept800" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = Broadcast-Listen, Framed-MTU = 1500, Session-Timeout = 28800, Idle-Timeout = 28800, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Called-Station-Id == 5551234, Auth-Type := Reject ... and at the end: DEFAULT Custom-Group == "routerfolk" DEFAULT Auth-Type := Reject My thinking is, if the request comes from a device where the client-ip-address is specified, then it will let it through. If it comes from a device where the client-ip-address is not specified, then it will hit the next to the last line of the file, check the custom-group file and see if the user exists in it. If they do, they're authenticated on the device. If they don't exist in the file, then they'll hit the last line and be rejected. However, what I've found in practice is, even if a request is heard from a device where the client-ip-address is specified above, they're still being rejected by the last line. Is there any way that I can tell the last line to reject *only* if there isn't a match previous to it? Thanks again for any help! Brian -- Brian Johnson "And I will be even more undignified than this, and will be humble in my own sight." (2 Samuel 6:22) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html