Gene Hinds wrote: > I am trying to determine how to have freeradius respond with > different attributes for a user depending on what device he telnets > into.
You key off of the source IP address. See "man unlang" if (Packet-Src-IP-Address == 1.2.3.4) { update reply { Reply-Message := "Foo!" } } ... > If he is a level 1 tech and telnets into a customer router I want > him to have admin rights but if he telnets into a Core router I want him > to only have Cisco level 1 access. Since these are naturally different > attributes the response from freeradius needs to be different depending > on the routers sending the request. From reading it seems this is > possible with some rules in possibly the "radcheck" table but I cannot > fully grasp the concept. I'm not sure that the SQL schema is up to that task. > Can someone please give me some direct documentation or > configuration examples on this issue? I seem to know just just enough to > get myself in trouble so the more detailed the instructions the better. What you can do instead is to abstract the privilege level from the returned attributes. e.g. create a schema with <admin, ip, privilege> Then do: update control { Tmp-String-0 = "%{sql: SELECT foo from bar WHERE user = %{User-Name} ..." } switch "%{Tmp-String-0}" { case low { update reply { ... } } case high { update reply { ... } } } Hope that makes sense. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html