Hi,
Any news for this problem?
Br,
Ville
5.8.2013 19:08, vi...@leinonen.org kirjoitti:
Here:
rad_recv: Access-Request packet from host 172.150.0.62 port 25196, id=194,
length=63
User-Name = testu...@.fi
User-Password = testpass
NAS-IP-Address = 172.150.0.62
#
Hi,
I have installed fr 2.1.10 w openldap and I can authenticate users
against ldap.
I have also added groups in ldap and allowed ldap module to search
groups and it also works fine.
Now the problem is that is huntgroups wont work. I need to restrict
access to NAS for specific groups. I
Hi,
file users:
DEFAULT Ldap-Group ==
Huntgroup-Name ==
multiple lines? the first line is CHECK items. other lines are REPY items
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Thank you for your reply.
It was my mistake, when i was testing.
Corrected DEFAULT Ldap-Group == , Huntgroup-Name ==
Still not working as i want.
Br,
Ville
Hi,
file users:
DEFAULT Ldap-Group ==
Huntgroup-Name ==
multiple lines? the first line is CHECK items.
Hi,
It was my mistake, when i was testing.
Corrected DEFAULT Ldap-Group == , Huntgroup-Name ==
Still not working as i want.
output?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Here comes:
rlm_ldap::ldap_groupcmp: User found in group
and user still access in. I noticed that if i disable ldap
and put user in users file like this:
vi...@.fi Cleartext-Password := , Huntgroup-Name ==
it works and i can filter users based on huntgroup.
Br,
Ville
Hi,
Here comes:
rlm_ldap::ldap_groupcmp: User found in group
radiusd -X
its what the docs say. for a reason
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Here:
rad_recv: Access-Request packet from host 172.150.0.62 port 25196, id=194,
length=63
User-Name = testu...@.fi
User-Password = testpass
NAS-IP-Address = 172.150.0.62
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group
On 07/02/2013 02:30 AM, Matt Zagrabelny wrote:
If a user is not in the secret group, then their login should fail if
the Vendor-3076-Attr-146 = 0x554d44 pair is in the request.
This is pretty easy:
authorize {
...
if (Vendor-3076-Attr-146 == 0x554d44) {
if (SQL-Group == secret) {
On 2 Jul 2013, at 07:18, Phil Mayers p.may...@imperial.ac.uk wrote:
On 07/02/2013 02:30 AM, Matt Zagrabelny wrote:
If a user is not in the secret group, then their login should fail if
the Vendor-3076-Attr-146 = 0x554d44 pair is in the request.
This is pretty easy:
authorize {
...
On 2 Jul 2013, at 07:41, Arran Cudbard-Bell a.cudba...@freeradius.org wrote:
On 2 Jul 2013, at 07:18, Phil Mayers p.may...@imperial.ac.uk wrote:
On 07/02/2013 02:30 AM, Matt Zagrabelny wrote:
If a user is not in the secret group, then their login should fail if
the Vendor-3076-Attr-146
Hi
I'll see if I can send through some dictionary file entries later today
Alan
This smartphone uses eduroam which gives me free WiFi around the world. Now
thats what I call smart!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 07/02/2013 07:52 AM, Arran Cudbard-Bell wrote:
This may work for 2.x.x but definitely wont't work for 3.0 which uses
direct DICT_ATTR pointer comparisons in some places (instead of
comparing vendor/attribute number).
So... what *can* you do with Vendor-X-Attr-Y?
-
List
On 2 Jul 2013, at 08:53, Phil Mayers p.may...@imperial.ac.uk wrote:
On 07/02/2013 07:52 AM, Arran Cudbard-Bell wrote:
This may work for 2.x.x but definitely wont't work for 3.0 which uses
direct DICT_ATTR pointer comparisons in some places (instead of
comparing vendor/attribute number).
On 02/07/13 11:37, Arran Cudbard-Bell wrote:
On 2 Jul 2013, at 08:53, Phil Mayers p.may...@imperial.ac.uk
wrote:
On 07/02/2013 07:52 AM, Arran Cudbard-Bell wrote:
This may work for 2.x.x but definitely wont't work for 3.0 which
uses direct DICT_ATTR pointer comparisons in some places
Hi,
We have a generic VPN profile that we'd like to allow *all* users to
login to - this works well.
When users login to the secret profile, then the following VPN
attribute is included in the request:
Vendor-3076-Attr-146 = 0x554d44
use/load the dictionary.cisoc.vpn3000 dictionary file
On 2 Jul 2013, at 11:57, Phil Mayers p.may...@imperial.ac.uk wrote:
On 02/07/13 11:37, Arran Cudbard-Bell wrote:
On 2 Jul 2013, at 08:53, Phil Mayers p.may...@imperial.ac.uk
wrote:
On 07/02/2013 07:52 AM, Arran Cudbard-Bell wrote:
This may work for 2.x.x but definitely wont't work for
On 2 Jul 2013, at 12:15, Arran Cudbard-Bell a.cudba...@freeradius.org wrote:
On 2 Jul 2013, at 11:57, Phil Mayers p.may...@imperial.ac.uk wrote:
On 02/07/13 11:37, Arran Cudbard-Bell wrote:
On 2 Jul 2013, at 08:53, Phil Mayers p.may...@imperial.ac.uk
wrote:
On 07/02/2013 07:52 AM,
On 2 Jul 2013, at 12:19, Arran Cudbard-Bell a.cudba...@freeradius.org wrote:
On 2 Jul 2013, at 12:15, Arran Cudbard-Bell a.cudba...@freeradius.org wrote:
On 2 Jul 2013, at 11:57, Phil Mayers p.may...@imperial.ac.uk wrote:
On 02/07/13 11:37, Arran Cudbard-Bell wrote:
On 2 Jul 2013,
Greetings!
Our Cisco VPN concentrator is sending some RADIUS attributes in the
request packet and if certain values appear, then I'd like to only
allow a subset of users to login.
I've looked at:
http://wiki.freeradius.org/SQL-Huntgroup-HOWTO/dbeef165862fe9ba7ef6f7d011889d1f7212cf9b
the SQL
to the list for further checking
Anyway, i've updated the record above and putting := and it doesn't
work.
It depends what you want to do. I thought you had said you wanted to
*set* the huntgroups in SQL. If so, := is the correct thing to use.
If you're just checking
and putting := and it doesn't work.
It depends what you want to do. I thought you had said you wanted to
*set* the huntgroups in SQL. If so, := is the correct thing to use.
If you're just checking it, == is the right one.
Yes. I'm checking for a match between the NAS-IP-Address
Marco Marzetti wrote:
mysql SELECT * FROM radgroupcheck;
++---+++--+
| id | groupname | attribute | op | value|
++---+++--+
| 1 | TECNICI | Huntgroup-Name | == | APPARATI |
Il giorno mer, 05/06/2013 alle 09.14 -0400, Alan DeKok ha scritto:
Marco Marzetti wrote:
mysql SELECT * FROM radgroupcheck;
++---+++--+
| id | groupname | attribute | op | value|
++---+++--+
| 1 |
you had said you wanted to
*set* the huntgroups in SQL. If so, := is the correct thing to use.
If you're just checking it, == is the right one.
The huntgroups are set in the huntgroups file. Have you looked there?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http
On Tue, Apr 30, 2013 at 3:09 PM, gregoire.le...@retenodus.net wrote:
Hello,
It pretty much said that:
- you need to add an entry to radgroupcheck, so that when
Huntgroup-Name matches a value (site_a), an SQL group (site_a_admins)
will be assigned
- you add entries to radgroupreply to
Hello,
It pretty much said that:
- you need to add an entry to radgroupcheck, so that when
Huntgroup-Name matches a value (site_a), an SQL group (site_a_admins)
will be assigned
- you add entries to radgroupreply to return
whatever-attribute-value-pairs-you-want for site_a_admins group.
I
For the step 4, I have to :
1) Retrieve the huntgroup
2) Compare it with what the user sends
3) If it matches, give him his specific statement.
So, if I understand correctly in the authorize section, I have to
maintain a radipusers table for my IP/users and do something like :
1)
update request
Hi,
The thing I want to be added by radius in the reply :
if (Huntgroup-Name == 'one_huntgroup_name') {
Attribute1 op1 value1
Attribute2 op2 value2
...
Attributei opi valuei
}
Given that Attribute,op,value 1...i are in the MySQL table.
if (Huntgroup-Name ==
Hello,
if (Huntgroup-Name == 'one_huntgroup_name') {
update reply {
attribute1 := %{sql:SELECT blah blah}
attribute2 := %{sql:SELECT blah blah}
attribute3 := %{sql:SELECT blah blah}
attribute4 := %{sql:SELECT blah blah}
}
}
The thing is, I
Hi,
The thing is, I don't know how many attributes I have. It could be
1, 4, 10 and not always the same. That's why I want to retrieve from
the database the value, the op and the attribute.
just use authorize_group_reply_query and the groupreply_table =
radgroupreply
part of sql.conf ?
for NAS, still if the user is authenticated
I use radreply for X, the issue here is step 4. The how-to on the wiki about
huntgroups and SQL
recommends to use unlang in the authorize section. So, I update the request to
assign the Huntgroup-
Name attribute, and use unlang to add the Y
to the reply for NAS, still if the user is
authenticated
I use radreply for X, the issue here is step 4. The how-to on the wiki about
huntgroups and SQL
recommends to use unlang in the authorize section. So, I update the request
to assign the Huntgroup-
Name attribute, and use unlang to add
Now, documentation seems to say I have to add something in my
authorize{} section, but the only mention of authorize in my current
configuration is :
authorize {
ok
# respond to the Status-Server request.
Autz-Type Status-Server {
gregoire.le...@retenodus.net wrote:
My fault : I've open status instead of default.
I have no idea what that means.
All of my help is presuming that you're starting off with the default
configuration. If you've butchered it, you're on your own.
For the step 4, I have to :
1) Retrieve
Hello,
So... what do you want to do? You've been very clear that you want
help with a particular *solution*. Because your assumptions are
wrong,
your solution is wrong. So I can't really help you with that.
What do you have, and hat do you want?
- you want the user to be
gregoire.le...@retenodus.net wrote:
I want the following behaviour :
1) Set the password for the user
2) Authentication of the user
3) X is always added to the reply if the user is authenticated
4) Moreover, Y is added to the reply for NAS, still if the user is
authenticated.
That's
Hello,
Le 2013-04-22 15:33, Alan DeKok a écrit :
gregoire.le...@retenodus.net wrote:
First, I want to check is the user has the right password. If he has
the
right password, I want to give him a configuration and if he's in
the
one_huntgroup_name (i.e he's from a special NAS), I want to give
gregoire.le...@retenodus.net wrote:
I have actually read the documentation, and the wiki about SQL. Really.
Otherwise, I wouldn't have sent the first email. I'm going to be more
specific about what I don't understand.
OK. That's good.
In my user files, I have two lines to check.
First,
Hello,
Le 2013-04-20 15:23, Alan DeKok a écrit :
gregoire.le...@retenodus.net wrote:
Hello,
I'm translating a flat file configuration into a MySQL
configuration,
but I have some difficulties with huntgroups.
An example of what I have in my flat file :
21 example@domain
gregoire.le...@retenodus.net wrote:
First, I want to check is the user has the right password. If he has the
right password, I want to give him a configuration and if he's in the
one_huntgroup_name (i.e he's from a special NAS), I want to give him
the Framed-IP-Address. That's the current
gregoire.le...@retenodus.net wrote:
Hello,
I'm translating a flat file configuration into a MySQL configuration,
but I have some difficulties with huntgroups.
An example of what I have in my flat file :
21 example@domain⋅⋅Cleartext-Password := password
22
Hello,
I'm translating a flat file configuration into a MySQL configuration,
but I have some difficulties with huntgroups.
An example of what I have in my flat file :
21 example@domain⋅⋅Cleartext-Password := password
22 ⋅Service-Type = Framed-User,
23
Any one kindly reply.
Regards,
Arshad Ahmed Network Engineer
From: arshadkha...@hotmail.com
To: freeradius-users@lists.freeradius.org
Subject: Configure Huntgroups
Date: Tue, 27 Nov 2012 10:01:19 +0500
Hi,
I have configure multiple hunt groups for different purposes like VPN (VPN
Hi,
I have configure multiple hunt groups for different purposes like VPN (VPN
Server IP), Netflow Services (Netflow Server IP) and hence define their
respective group in Window Active directory platform.
Now, i need to provide time base VPN access to some users so i made a group in
active
Hi
i m using freeradius 2.1.10
i have setup mac auth based authentication like it s written here
http://wiki.freeradius.org/Mac-Auth
it works quite well
my problems is now i want to combine that with huntgroups
i have put in my /etc/raddb/huntgroups
the following line
radfiltuxmacs NAS-IP
in context:
http://freeradius.1045715.n5.nabble.com/deny-access-with-huntgroups-tp2780330p3364120.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi guys,
there are some posts about subj. refering to search mailing list
archive. I did that, but not sure what is the best solution for 2.1.10
to solve this case. And of course, I would like to use regex for
nas-identifier value. Thanks for your opinions.
Regards,
Z.
-
List
Ok,I 'll try to crarify the question.
Does anybody know why in hungroups this match works:
XXX NAS-IP-Address == X.Y.Z.W
or
XXX NAS-IP-Address == X.Y.Z.W, NAS-Port-Id == 1:33
But not this one:
XXX NAS-IP-Address==X.Y.Z.W, NAS-Port=1033,
== X.Y.Z.W in huntgroups, and I
comment XXX NAS-IP-Address==X.Y.Z.W, NAS-Port=1033,
NAS-Port=1038
then it does mac loggin without problems, but when I want to fix the port
range, just skips the authentication,
and finally rejects.
Any clue?
Thanks
, radgroupreply working if I populate the
huntgroups flat file with appropriate information.
I can set shell:privs on ciscos for a specific user based on group
membership via radgroupreply.
As I understand it, if I move huntgroups out of the flat file (preprocess)
and into mysql, I loose
Following on from my previous post on Centralised LDAP Auth post:
http://lists.freeradius.org/pipermail/freeradius-users/2010-September/msg00393.html
I've found that using dynamic-clients gives me a few advantages over using
huntgroups.
1) Dynamic Clients allows you to have per-NAS shared
to know if there is anyway to create a private attribute in
clients.conf to assign NAS type for Huntgroup selection ?
I made some checks but My-Nas-Type variable does not seems to be
accessible from within huntgroups as a checkItem.
As we have to manage more than 1000 various NAS, the idea
Fred MAISON fred.mai...@gmail.com wrote:
[snipped[
For example :
dictionnary :
ATTRIBUTE My-Nas-Type 3000string
clients.conf :
client c1 {
ipaddress = 10.1.1.1
My-Nas-Type = cisco
nastype = cisco
}
It is only available from unlang, however
Le lundi 03 mai 2010 à 18:29 +0100, Alexander Clouter a écrit :
Fred MAISON fred.mai...@gmail.com wrote:
[snipped[
For example :
dictionnary :
ATTRIBUTE My-Nas-Type 3000string
clients.conf :
client c1 {
ipaddress = 10.1.1.1
My-Nas-Type =
in context:
http://www.nabble.com/deny-access-with-huntgroups-tp25151127p25185118.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
You have to enforce reject:
if(SQL-Group == vpnuser) {
ok
}
else {
reject
}
Ivan Kalik
Kalik Informatika ISP
Alright. that makes sense.
But can the if(xxx) contain several sql-queries to the database?
The username and groupname from radusergroup and groupname from
://www.nabble.com/deny-access-with-huntgroups-tp25151127p25186064.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Finally. I got it working with the files (users and huntgroups), but i need
this to work in SQL instead and seem to run into the same problem. All
NAS-IP:s are accepted. Why??
I am so close but not quite there. Please help!
Followed a guide from jdennis that i googled up, but something
Finally. I got it working with the files (users and huntgroups), but i
need
this to work in SQL instead and seem to run into the same problem. All
NAS-IP:s are accepted. Why??
Because if sql group doesn't match it is ignored - user is not rejected.
I am so close but not quite there. Please
, Cleartext-Password := localuser
huntgroups:
vpn NAS-IP-Address == 164.9.158.65
I am missing something. Please point me in the right direction.
Thanks.
--
View this message in context:
http://www.nabble.com/deny-access-with-huntgroups-tp25151127p25151127.html
Sent from the FreeRadius - User mailing
-Password := localuser
huntgroups:
vpn NAS-IP-Address == 164.9.158.65
I am missing something. Please point me in the right direction.
Post the debug. Something else is letting user in. With these entries he
shouldn't be able to connect from a different NAS. You don't have an entry
without
Hello.
I need some help to debug my configuration of Huntgroups in SQL and why they
are not being enforced.
Probably missing something obvious here. I´ve been staring myself blind with
this problem.
User gets Access-Accept although NAS-IP-Address is not a match.
Here is the setup:
Freeradius
Hi.
For info, i followed the information in the below link for my Huntgroups,
but without Auth-Type since it is not recommended.
http://wiki.freeradius.org/SQL_Huntgroup_HOWTO
I still can´t get huntgroups to be enforced properly.
If i add Huntgroup-Name == VPN-Service to the radcheck table
Hi All,
I want to use huntgroups in freeradius 2.1.6. I have a sql backend for
auth and acct, so naturally I want to put huntgroups into mysql as well.
I've read the wiki on how to do this, and I understand the notes.
However, the wiki entry mentions that the following should either go
I've read the wiki on how to do this, and I understand the notes.
However, the wiki entry mentions that the following should either go
into radiusd.conf or in sites-enabled/default:
update request {
Huntgroup-Name := %{sql:select groupname from radhuntgroup where
Hi All,
I want to use huntgroup to restrict access to certain huntgroups to
certaingroups of users. So I edit my huntgroups file :
swLaboNAS-IP-Address == 192.168.0.50
Group = administrateur
I guess that administrateur is a Ldap-Group, isn't
I want to use huntgroup to restrict access to certain huntgroups to
certaingroups of users. So I edit my huntgroups file :
swLaboNAS-IP-Address == 192.168.0.50
Group = administrateur
I guess that administrateur is a Ldap-Group, isn't it ? And I
François Mehault wrote:
So I understand that fmehault is able to authenticate on the NAS
192.168.0.50. But I have a segmentation fault of radiusd. I created also
the posix group administrateur which includes fmehault.
Which version are you using?
+- entering group authorize {...}
zsh:
I use version 2.1.4 on FreeBSD, but with Ldap-Group rather than Group in
huntgroups file, it works.
-Message d'origine-
De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org
[mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org]
De
Fall-Through = Yes
DEFAULT Auth-Type = LDAP
Fall-Through = 1
And I have modified /etc/raddb/huntgroups file with following data:
kmc1NAS-IP-Address == 172.16.0.150
User-Name = kmcuser
But It is not working, with username kmcuser, I am able to login to other
I want to implement huntgroup for Radius server. In this respect I want to
give access to user name test1, which authenticated via LDAP, to only one
NAS with IP 172.16.0.150. For this I have modified /etc/raddb/users file
with following data:
kmcuser Auth-Type :=LDAP, Huntgroup-Name == kmc1
-Groups with it. If this is
not possible, I would like to know.
Is there maybe another way to check subnets? Can I user regex for
example in huntgroups? Then I wouldn't need to use unlang and can stay
some more time at my current version of freeradius.
Greets
Meyes
What you posted is a mixture of both
sites-enabled/default
-
authorize
{
ldap
if (Ldap-Group == employee NAS-IP-Address ==
^131\.(220)\.(1)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$)
{ok} else
if (Ldap-Group == student NAS-IP-Address ==
In 2.1.3 you can use unlang and not need huntgroups at all. Read man
unlang on freeradius site.
Thank you for answer Ivan. I'm thinking about upgrading of 2.1.3 or
2.1.4 but I'm not really sure how to transform my huntgroups und users
configuration in unlang. I read the documentation but I
Is that possible that I keep my huntgroups for all clients with
IP-Addresses and write a conditions only for network masks?
That would probably be the best. You might benefit from using sql
huntgroup implementation (pull IP's from the database):
http://wiki.freeradius.org/SQL_Huntgroup_HOWTO
employee, tha same for
IP y.y.y.y . Then I have some other servers with requests that don't
need LDAP authorisation.
I used the Huntgroups to define the first two servers als huntgroup
testldap and the rest as huntgroup all.
That functions great for IP Addresses. The list ist long, but still ok
Does Huntgroup support only IP-Addresses or I can fill up Network
Addresses too?
It's not what huntgroups support but what does the attribute
(NAS-IP-Address) support. And it is an IP address, not network.
Or there is another workaround? Or maybe this issue is already changed
in the new version
Dear All,
I am trying to implement huntgroups via MySQL according to
http://wiki.freeradius.org/SQL_Huntgroup_HOWTO On difference is the
assignment of huntgroups not according to NAS-IP, but to Called-Station-Id.
The goal is to suppress roaming between hotspot routers, between groups
Hanno Schupp wrote:
I am trying to implement huntgroups via MySQL according to
http://wiki.freeradius.org/SQL_Huntgroup_HOWTO On difference is the
assignment of huntgroups not according to NAS-IP, but to
Called-Station-Id. The goal is to suppress roaming between hotspot
routers, between
`, `GroupName`, `Attribute`, `op`, `Value`
1, 'TestGroup', 'Huntgroup-Name', ':=', 'Test'
This doesn't check anything. It sets huntgroup to Test.
As I understand it you want to reject huntgroups that are not Test. So
make such a policy:
Huntgroup-Name != Test, Auth-Type := Reject
Ivan Kalik
Kalik
-Original Message-
From: t...@kalik.net [mailto:t...@kalik.net]
Sent: Monday, 19 January 2009 10:52 p.m.
To: FreeRadius users mailing list
Subject: Re: Huntgroups issue - every user is accepted
The goal is to suppress roaming between hotspot routers, between groups
of
hotspots
-Original Message-
From: Alan DeKok [mailto:al...@deployingradius.com]
Sent: Monday, 19 January 2009 10:29 p.m.
To: FreeRadius users mailing list
Subject: Re: Huntgroups issue - every user is accepted
Hanno Schupp wrote:
I am trying to implement huntgroups via MySQL according
However, the issue remains:
I do not want the user to be rejected per se. I only want the user to be
rejected if her own huntgroup as stored in radgroupcheck is different from
the huntgroup of the Called-Station-Id in the radhuntgroup table. The goal
is to prevent a user to login to a hotspot
Terry Pelley wrote:
As I said before, the only example of using a huntgroup I can see in the
users file does not list a password attribute at all.
Because the huntgroups file isn't about setting the password. i.e.
it doesn't *do* that. It's not *supposed* to do that.
Is the use
== hunttest
My huntgroups file has a huntgroup called hunttest with a single NAS IP
Address listed as follows.
public NAS-IP-Address == 10.252.9.2
when the user huntest attempts to authenticate it fails. My RADIUS Log
shows the following entry.
Wed May 7 15:07:25 2008 : Auth: Login incorrect
. at least
for the time being.
I am trying to set up a very basic single user account for a very specific
purpose and have created the account as follows.
hunttest User-Password == hunttest, Huntgroup-Name == hunttest
My huntgroups file has a huntgroup called hunttest with a single NAS IP
Address
+1100
From: Ranner, Frank MR [EMAIL PROTECTED]
Subject: RE: Hints Huntgroups [SEC=UNCLASSIFIED]
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Hints is processed first, then Huntgroups. You can set up 2 instances of
preprocess, process huntgroups in the first
Should I be able to either
1) Set a Huntgroup via the huntgroups file (matching on NAS-IP-Address) and
use that in the Hints file as a match (Huntgroup-Name == blah) or
2) Set a Hint in the hints file and use that to define as the match for the
Huntgroup
Currently testing on FreeRADIUS
UNCLASSIFIED
-Original Message-
From:
[EMAIL PROTECTED]
eradius.org [mailto:freeradius-users-
[EMAIL PROTECTED] On
Behalf Of Dean Smith
Sent: Thursday, 3 April 2008 09:20
To: freeradius-users@lists.freeradius.org
Subject: Hints Huntgroups
Should I be able to either
1
In 2.0, much of the huntgroup functionality can be done with a little
bit of magic:
client foo {
ipaddr = 127.0.0.1
secret = x
huntgroup = foo # invent ANYTHING here! foo = bar, x = y, etc.
}
Then in unlang:
...
if (%{client:huntgroup} == foo) {
Phil Mayers wrote:
I've never had cause to look at it before, but I discovered today that
accouting doesn't support huntgroups; specifically, an attempt to match
on Huntgroup-Name in acct_users
Is this expected?
The preprocess module doesn't do huntgroups for accounting requests
Arran Cudbard-Bell wrote:
Woah, get that working with SQL and you have an insanely useful feature.
Oooo what VLANS does this NAS support, hmm i'll just check the client
VLAN tags. Where is this NAS located, hmm i'll just check the
arbitrarily populated location tag.
Err... why? You can do
Hi,
Arran Cudbard-Bell wrote:
Woah, get that working with SQL and you have an insanely useful feature.
Oooo what VLANS does this NAS support, hmm i'll just check the client
VLAN tags. Where is this NAS located, hmm i'll just check the
arbitrarily populated location tag.
Err... why?
Alan DeKok wrote:
Arran Cudbard-Bell wrote:
Woah, get that working with SQL and you have an insanely useful feature.
Oooo what VLANS does this NAS support, hmm i'll just check the client
VLAN tags. Where is this NAS located, hmm i'll just check the
arbitrarily populated location tag.
[EMAIL PROTECTED] wrote:
yep - but i think the default schema for clients didnt have these
extra features added. at least someone mentioned synchronising them
recently
more importantly for other people - do these attributes get passed
through the message structure for PERL and Python?
I've never had cause to look at it before, but I discovered today that
accouting doesn't support huntgroups; specifically, an attempt to match
on Huntgroup-Name in acct_users
Is this expected? How does one normally specify Acct-Type based on a
huntgroup, if (say) the Class attribute
[EMAIL PROTECTED] schrieb:
huntgroups file:
pool3 NAS-IP-Address == NAS1IPAddress
pool3 NAS-IP-Address == NAS2IPAddress
pool3 NAS-IP-Address == NAS3IPAddress
DEFAULT Huntgroup-Name == pool3, User-Name == user2, Auth-Type :=
Reject
in users file. Huntgroups *are* what you refer
RTR-Admins (which are allowed to access all CPE-IPs)
- difficult (big net) so I want to use REGEX wildcards, which
unfortunatly covers the FW-IPs
huntgroups:
FW-IPs NAS-IP-Address == 10.0.0.1
FW-IPs NAS-IP-Address == 10.0.0.2
FW-IPs NAS-IP-Address == 10.0.0.3
CPE-IPs NAS-IP-Address
2nd Try, just in case my 1st message was not recognized ;-)
Hi Freeradius-List,
is it possible to give/deny access to multiple huntgroups for a single
user/group?
E.g.: User/group is denied to access hosts 10.0.0.1, 10.0.0.2 and
10.0.0.3 but is allowed to access all the other hosts
1 - 100 of 260 matches
Mail list logo