UNCLASSIFIED
Running version 2.0.5, with LDAP backend for authentication/authorization. Needed functionality: A single user account needs a different ldap/radius profile depending on which huntgroup the request is coming in on... the reason is that each user has a different Framed-IP-Address for each VPN concentrator they are coming in on. So each user needs a profile per NAS, I believe. I have separated out each NAS into its appropriate huntgroup, and am matching on that in the users file. Also trying to dynamically set the User-Profile. DEFAULT Huntgroup-Name == jup-rtr-xauth, Ldap-Group == `cn=%{Huntgroup-Name},ou=Groups,ou=Radius,dc=geowireless,dc=net`, User-Profile := `uid=%{User-Name},ou=jup-rtr-xauth,ou=Profiles,ou=Radius,dc=geowireless, dc=net` Fall-Through = no (entire users file at the end of this message). The user is authenticated successfully (so the group matching and the %{Huntgroup-Name} expansion are working fine), but the User-Profile is not being set. If I hard code in the value for uid, it works, so the problem is in the variable. I had a similar problem and ended up using a rewrite rule to solve it. For 1.1.x here is the rule I used to derive a dn from a huntgroup: attr_rewrite uprof { attribute = User-Profile # may be "packet", "reply", "proxy", "proxy_reply" or "config" searchin = config searchfor = "" replacewith = "cn=%{Huntgroup-Name},ou=Profiles,dc=..." ignore_case = no new_attribute = yes max_matches = 10 append = no } The call to uprof is in the authorize section. I placed it after 'files' and before 'ldap'. So setting the replacewith = "uid=%{User-Name},ou=%{Huntgroup-Name},ou=Profiles,ou=Radius,dc=geowirel ess,dc=net" should do exactly what you want. However, using FR 2.x you can probably use unlang to do the same thing in a much clearer manner. regards, Frank Ranner
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html