[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: Per device/user attributes
From: Alan DeKok <aland () deployingradius ! com>
Date: 2008-08-28 14:05:29
Message-ID: 48B6B0A9.9000103 () deployingradius ! com
[Download RAW message or body]
Gene Hinds wrote:
> I am trying to determine how to have freeradius respond with
> different attributes for a user depending on what device he telnets
> into.
You key off of the source IP address. See "man unlang"
if (Packet-Src-IP-Address == 1.2.3.4) {
update reply {
Reply-Message := "Foo!"
}
}
...
> If he is a level 1 tech and telnets into a customer router I want
> him to have admin rights but if he telnets into a Core router I want him
> to only have Cisco level 1 access. Since these are naturally different
> attributes the response from freeradius needs to be different depending
> on the routers sending the request. From reading it seems this is
> possible with some rules in possibly the "radcheck" table but I cannot
> fully grasp the concept.
I'm not sure that the SQL schema is up to that task.
> Can someone please give me some direct documentation or
> configuration examples on this issue? I seem to know just just enough to
> get myself in trouble so the more detailed the instructions the better.
What you can do instead is to abstract the privilege level from the
returned attributes. e.g. create a schema with <admin, ip, privilege>
Then do:
update control {
Tmp-String-0 = "%{sql: SELECT foo from bar WHERE user = %{User-Name} ..."
}
switch "%{Tmp-String-0}" {
case low {
update reply {
...
}
}
case high {
update reply {
...
}
}
}
Hope that makes sense.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic