Bryan Evege wrote:
...
Please edit your posts to the list. It's annoying to have to scroll
through reams of headers and old messages in order to see your reply.
> Thank you for the reply. If I change the fall through to yes it still
> matches as many groups as the user is in. How can I tell freeradius
> which attributes to send back? It only sends back the attributes of the
> last group it finds.
Read the documentation for the "users" file, including the "man" page.
> For example, bevege is a member of the following groups, packetshapper,
> cisco_priv_15, cisco_priv_1, linux. Here is what happens when I try to
> log into one of the packet shappers. I get the attributes for the
> cisco_priv_1 because it's last in the list and I can't logon. I f I
> change all of the users groups to fall-through=no the packetshapper
> allows me to login but then the cisco profiles don't work because it
> never makes it to them.
i.e. You want to match on the client AND on the group. Why not
configure that?
DEFAULT Client-IP-Address == 1.2.3.4, LDAP-Group == ...
reply with stuff...
> Basically this setup works fine if you're only in one group! What's the
> point of groups if you can only be in one.
You can be in multiple groups. You just have to configure the correct
policy.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
