Locking realm access to a specific huntgroup
Hello, I have different NAS and each type of NAS is grouped together in a huntgroup. I need to make an addition to my radius setup to proxy requests with a certain realm to a specified server. Proxying is already working but I want to lock the users using that specific realm to a specific huntgroup so that its only possible for them to login on predefined NASgroup. I don't have access to the remote proxy server. Using attr_filter isn't an option since this only filters replys. Anyone knows how to do this? Thx in advance and kind regards, Jonathan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Locking realm access to a specific huntgroup
Jonathan De Graeve wrote: > I have different NAS and each type of NAS is grouped together in a > huntgroup. > > I need to make an addition to my radius setup to proxy requests with a > certain realm to a specified server. > > Proxying is already working but I want to lock the users using that > specific realm to a specific huntgroup so that its only possible for > them to login on predefined NASgroup. You could try to manually set the "Proxy-To-Realm" variable in the "users" file instead of using the "realm" module. For example, test with something like that: DEFAULT User-Name =~ "@foo\.net$", Huntgroup-Name == "bar", Proxy-To-Realm := "foo.net" > Using attr_filter isn't an option since this only filters replys. The attr_filter module can be used in both pre-proxy and post-proxy sections. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Locking realm access to a specific huntgroup
> You could try to manually set the "Proxy-To-Realm" variable in the > "users" file instead of using the "realm" module. For example, > test with something like that: > > DEFAULT User-Name =~ "@foo\.net$", Huntgroup-Name == "bar", Proxy-To-Realm > := "foo.net" Ok, this is working :) (I tried the same with a wrong regexp) > > Using attr_filter isn't an option since this only filters replys. > > The attr_filter module can be used in both pre-proxy and post-proxy > sections. Indeed but if I understand it right, you can't distinct between the 2 types? Furthermore, this only changes/filters attributes while I needed to check the huntgroup to the local radius. Since the DEFAULT trick works, I'm happy :) Thx a lot ;) J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Locking realm access to a specific huntgroup
Jonathan De Graeve wrote: > > > Using attr_filter isn't an option since this only filters replys. > > > > The attr_filter module can be used in both pre-proxy and post-proxy > > sections. > > Indeed but if I understand it right, you can't distinct between the 2 > types? You can't. But you can have 2 module instances for each section :) > Furthermore, this only changes/filters attributes while I needed to > check the huntgroup to the local radius. You're right, and this is the reason why attr_filter isn't suitable in your case. > Since the DEFAULT trick works, I'm happy :) > Thx a lot ;) You're welcome :) -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
