> I'm trying to use unlang to limit LDAP user's access to different > network > devices. Here is what I have so far in the site-enable/default: > > Auth-Type LDAP { > ldap > > if(NAS-IP-Address == 10.1.1.1 && LDAP-Group == > 'RouterAdmin') { > ok > } > else { > reject > } > } > > > Right now that works if your LDAP radiusGroupName = RouterAdmin and you > are > trying to connect to 10.1.1.1 but i would like to add NAS-IP-Addresses and > associate them with a radiusGroupName. This is were I'm having trouble. It > would be nice it I could just reference a file for the IP's like: > > RouterAdminList = /usr/local/etc/raddbd/devices/RouterAdmin > > if(NAS-IP-Address == %{RouterAdminList} && LDAP-Group == 'RouterAdmin') { > > And have multiple lines.: > > if(NAS-IP-Address == %{RouterAdminList} && LDAP-Group == 'RouterAdmin') OR > if(NAS-IP-Address == %{SwitchAdminList} && LDAP-Group == 'SwitchAdmin') OR > if(NAS-IP-Address == %{WifiAdminList} && LDAP-Group == 'WifiAdmin') { > ok > } > else { > reject > } > } > > How would i do that? And how would list the IP address in the files?
Use huntgroups (raddb/huntgroups). if(Huntgroup-Name == "routers" && Ldap-Group == "RouterAdmin") { ok } else { reject } Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html