On Mon, 2007-10-22 at 19:30 -0400, Bryan Martin wrote: > I need to have my NetworkGroup get passed one set of attributes and my > ServerGroup get passed another. But I have some EnterpriseAdmins who need > access to both sets so i need to pass the correct attribute back depending > on which device they try to auth from.
This is getting to be an FAQ. http://marc.info/?l=freeradius-users&m=119010719300080&w=2 > > User Joe is a EnterpriseAdmin. He is a member of the NetworkGroup and the > ServerGroup so I need him to have the correct attributes passed to him > depending on which NAS-IP-Address he comes from respectivly. For instance, > if joe trys to log in through 192.168.0.50 I need to pass back "Class = > OU=ServerGroup". If joe trys to log in through 192.168.0.1 I need to pass > him "Class = OU=NetworkGroup". The way it stands no matter which > NAS-IP-Address he comes from because he is a member of both groups he gets > both attributes sent back from radgroupreply. > > User Sally is a member of the NetworkGroup so I only want radgroupreply to > send just the attributes for the NetworkGroup. > > User Bob is a ServerGroup so I only want bob to get the attributes from the > ServerGroup. > > mysql> select * from radcheck; > +----+----------+----------------------+----+---------------------------------------+ > | id | UserName | Attribute | op | Value > | > +----+----------+----------------------+----+---------------------------------------+ > | 8 | joe | Password-With-Header | := | > {md5}928a40033e748ad825e92ec4f9870696 | > | 9 | sally | Password-With-Header | := | > {md5}928a40033e748ad825e92ec4f9870696 | > | 10 | bob | Password-With-Header | := | > {md5}928a40033e748ad825e92ec4f9870696 | > +----+----------+----------------------+----+---------------------------------------+ > > mysql> select * from usergroup; > +----------+--------------+----------+ > | UserName | GroupName | priority | > +----------+--------------+----------+ > | joe | NetworkGroup | 1 | > | joe | ServerGroup | 2 | > | sally | NetworkGroup | 1 | > | bob | ServerGroup | 1 | > +----------+--------------+----------+ > > mysql> select * from radgroupcheck; > +----+--------------+----------------+----+--------------+ > | id | GroupName | Attribute | op | Value | > +----+--------------+----------------+----+--------------+ > | 9 | ServerGroup | NAS-IP-Address | = | 192.168.0.50 | > | 10 | ServerGroup | Auth-Type | = | MD5 | > | 11 | NetworkGroup | NAS-IP-Address | = | 192.168.0.1 | > | 12 | NetworkGroup | Auth-Type | = | MD5 | > +----+--------------+----------------+----+--------------+ > > mysql> select * from radgroupreply; > +----+--------------+-----------+----+-----------------+ > | id | GroupName | Attribute | op | Value | > +----+--------------+-----------+----+-----------------+ > | 17 | NetworkGroup | Class | := | OU=NetworkGroup | > | 18 | ServerGroup | Class | := | OU=serverGroup | > +----+--------------+-----------+----+-----------------+ > > > Steps to reproduce if needed. > insert into usergroup (UserName, GroupName, priority) VALUES ('joe', > 'NetworkGroup', 1); > insert into usergroup (UserName, GroupName, priority) VALUES ('joe', > 'ServerGroup', 2); > insert into usergroup (UserName, GroupName, priority) VALUES ('sally', > 'NetworkGroup', 1); > insert into usergroup (UserName, GroupName, priority) VALUES ('bob', > 'ServerGroup', 1); > > insert into radgroupcheck (GroupName, Attribute, op, value) VALUES > ('ServerGroup', 'NAS-IP-Address', '=', '192.168.0.50'); > insert into radgroupcheck (GroupName, Attribute, op, value) VALUES > ('ServerGroup', 'Auth-Type', '=', 'MD5'); > insert into radgroupcheck (GroupName, Attribute, op, value) VALUES > ('NetworkGroup', 'NAS-IP-Address', '=', '192.168.0.1'); > insert into radgroupcheck (GroupName, Attribute, op, value) VALUES > ('NetworkGroup', 'Auth-Type', '=', 'MD5'); > > insert into radgroupreply (GroupName, Attribute, op, Value) VALUES > ('NetworkGroup', 'Class', ':=', 'OU=NetworkGroup'); > insert into radgroupreply (GroupName, Attribute, op, Value) VALUES > ('ServerGroup', 'Class', ':=', 'OU=serverGroup'); > > Thanks for your time. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html