You can group devices in huntgroups and add Hungroup-Name to those DEFAULT profiles.
Ivan Kalik Kalik Informatika ISP Dana 10/10/2007, "Bryan Evege" <[EMAIL PROTECTED]> piše: >Hello all. First off here's what I want to accomplish in the end. Use >LDAP as the backend to store all user information including radius >attributes, shell info and access to specific devices in specific >locations. For example, Johnny needs access to all linux boxes in >Atlanta and priv-level 15 on cisco routers in Denver. Fred needs >read/write access to all packet shappers in Denver and read only to all >cisco devices in Atlanta and Denver. You get the picture. > >I've setup a test server following the document in >/opt/freeradius/share/doc/freeradius/ldap_howto.txt without much >difficulty. This method does a good job of allowing only certain groups >to access certain devices without messing with the huntgroups. > >Here's the problem. When a user logs in and is a member of more than >one group radius only uses the first one to match. I've included the >users file below. For example, if the user is a member of the cisco >group and the packeteer group only the packeteer group information gets >passed back because it is found before the cisco group. > >Is there a way to say that the request is from a Cisco box so only look >for the user in the cisco group? If the user is then found in that >group then pass back the correct attributes from their profile. I know >I would have to define what a "cisco box" is, probably by IP. > >Please let me know if this is even possible and if so provide an >example. If it is not possible please provide some direction on how to >go about doing this. > >Freeradius 1.1.7 > >*_Users file_* > >DEFAULT Ldap-Group == acct_disabled, Auth-Type := Reject > Reply-Message = "Account disabled. Please call the helpdesk." > >DEFAULT Ldap-Group == packeteer_read_only,User-Profile := >"uid=packeteer_read_only,ou=profiles,ou=radius,dc=csctus,dc=net", >Auth-Type := LDAP > Fall-Through = no > >DEFAULT Ldap-Group == Packeteer,User-Profile := >"uid=Packeteer,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP > Fall-Through = no > >DEFAULT Ldap-Group == netscreen,User-Profile := >"uid=netscreen,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP > Fall-Through = no > >DEFAULT Ldap-Group == cisco_priv_15,User-Profile := >"uid=cisco_priv_15,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := >LDAP > Fall-Through = no > >DEFAULT Ldap-Group == cisco_priv_1,User-Profile := >"uid=cisco_priv_1,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP > Fall-Through = no > >DEFAULT Ldap-Group == netscreen,User-Profile := >"uid=netscreen,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP > >DEFAULT Auth-Type := Reject > Reply-Message = "Please call the helpdesk." > >DEFAULT Auth-Type = System > fall-Through = 1 > > >Radiusd.conf ldap section > > ldap { > server = "localhost" > identity = "cn=Manager,dc=csctus,dc=net" > password = xxxxxxx > basedn = "ou=users,ou=radius,dc=csctus,dc=net" > filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" > # base_filter = "(objectclass=radiusprofile)" > > # set this to 'yes' to use TLS encrypted connections > # to the LDAP database by using the StartTLS extended > # operation. > # The StartTLS operation is supposed to be used with normal > # ldap connections instead of using ldaps (port 689) connections > #start_tls = yes > > # tls_cacertfile = /path/to/cacert.pem > # tls_cacertdir = /path/to/ca/dir/ > # tls_certfile = /path/to/radius.crt > # tls_keyfile = /path/to/radius.key > # tls_randfile = /path/to/rnd > # tls_require_cert = "demand" > > # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" > # profile_attribute = "radiusProfileDn" > #default_profile = >"uid=Packeteer,ou=profiles,ou=radius,dc=csctus,dc=net" > #profile_attribute = "radiusProfileDn" > > #access_attr = "DialupAccess" > > # Mapping of RADIUS dictionary attributes to LDAP > # directory attributes. > dictionary_mapping = ${raddbdir}/ldap.attrmap > > ldap_connections_number = 5 > ldap_cache_timeout = 120 > ldap_cache_size = 0 > ldap_connections_number = 10 > > # > # NOTICE: The password_header directive is NOT case insensitive > # > # password_header = "{clear}" > # > # Set: > # password_attribute = nspmPassword > # > # to get the user's password from a Novell eDirectory > # backend. This will work *only if* freeRADIUS is > # configured to build with --with-edir option. > # > # > # The server can usually figure this out on its own, and pull > # the correct User-Password or NT-Password from the database. > # > # Note that NT-Passwords MUST be stored as a 32-digit hex > # string, and MUST start off with "0x", such as: > # > # 0x000102030405060708090a0b0c0d0e0f > # > # Without the leading "0x", NT-Passwords will not work. > # This goes for NT-Passwords stored in SQL, too. > # > password_attribute = userPassword > # > # Un-comment the following to disable Novell eDirectory account > # policy check and intruder detection. This will work *only if* > # FreeRADIUS is configured to build with --with-edir option. > # > edir_account_policy_check=no > # > groupname_attribute = radiusGroupName > #groupmembership_filter = >"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" > groupmembership_filter = >(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile)) > groupmembership_attribute = radiusGroupName > timeout = 4 > timelimit = 3 > net_timeout = 1 > # compare_check_items = yes > # do_xlat = yes > # access_attr_used_for_allow = yes > # > # By default, if the packet contains a User-Password, > # and no other module is configured to handle the > # authentication, the LDAP module sets itself to do > # LDAP bind for authentication. > # > # You can disable this behavior by setting the following > # configuration entry to "no". > # > # allowed values: {no, yes} > # set_auth_type = yes > } > >dn: dc=csctus,dc=net >objectClass: dcObject >objectClass: organizationUnit >ou: csctus.net Radius >dc: csctus > >dn: ou=radius,dc=csctus,dc=net >objectclass: organizationalunit >ou: radius > >dn: ou=profiles,ou=radius,dc=csctus,dc=net >objectclass: organizationalunit >ou: profiles > >dn: ou=users,ou=radius,dc=csctus,dc=net >objectclass: organizationalunit >ou: users > >dn: ou=admins,ou=radius,dc=csctus,dc=net >objectclass: organizationalunit >ou: admins > >dn: uid=dial,ou=profiles,ou=radius,dc=csctus,dc=net >objectclass: radiusprofile >uid: dial >radiusServiceType: Framed-User >radiusFramedProtocol: PPP >radiusFramedIPNetmask: 255.255.255.0 >radiusFramedRouting: None > >dn: uid=cisco,ou=profiles,ou=radius,dc=csctus,dc=net >objectclass: radiusprofile >uid: cisco >radiusReplyItem: Cisco-AVPair ="priv-lvl=15" > >dn: uid=packeteer,ou=profiles,ou=radius,dc=csctus,dc=net >objectclass: radiusprofile >uid: packeteer >radiusReplyItem: Packeteer-AVPair = "access=touch" > >dn: uid=isdn,ou=profiles,ou=radius,dc=csctus,dc=net >objectclass: radiusprofile >uid: isdn >radiusServiceType: Framed-User >radiusFramedProtocol: PPP >radiusFramedIPNetmask: 255.255.255.0 >radiusFramedRouting: None > >dn: uid=example,ou=users,ou=radius,dc=csctus,dc=net >objectclass: radiusProfile >uid: example >userPassword: test >radiusGroupName: dial >radiusGroupName: isdn > >dn: uid=bevege,ou=users,ou=radius,dc=csctus,dc=net >radiusGroupName: cisco_priv_15 >radiusGroupName: Packeteer >objectClass: radiusprofile >uid: bevege >userPassword: {MD5}xxxxxxxxx > >dn: cn=freeradius,ou=admins,ou=radius,dc=csctus,dc=net >objectclass: person >sn: freeradius >cn: freeradius >userPassword: freeradius > >dn: cn=billing,ou=admins,ou=radius,dc=csctus,dc=net >objectclass: person >sn: billing >cn: billing >userPassword: billing > >dn: cn=replica,ou=admins,ou=radius,dc=csctus,dc=net >objectclass: person >sn: replica >cn: replica >userPassword: replica > >Thanks, > >BE >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html