[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Per device/user attributes
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2008-08-28 14:05:29
Message-ID: 48B6B0A9.9000103 () deployingradius ! com
[Download RAW message or body]

Gene Hinds wrote:
>     I am trying to determine how to have freeradius respond with
> different attributes for a user depending on what device he telnets
> into.

  You key off of the source IP address.  See "man unlang"

	if (Packet-Src-IP-Address == 1.2.3.4) {
		update reply {
			Reply-Message := "Foo!"
		}
	}

	...

> If he is a level 1 tech and telnets into a customer router I want
> him to have admin rights but if he telnets into a Core router I want him
> to only have Cisco level 1 access. Since these are naturally different
> attributes the response from freeradius needs to be different depending
> on the routers sending the request. From reading it seems this is
> possible with some rules in possibly the "radcheck" table but I cannot
> fully grasp the concept. 

  I'm not sure that the SQL schema is up to that task.

>     Can someone please give me some direct documentation or
> configuration examples on this issue? I seem to know just just enough to
> get myself in trouble so the more detailed the instructions the better.

  What you can do instead is to abstract the privilege level from the
returned attributes.  e.g. create a schema with <admin, ip, privilege>

  Then do:

	update control {
		Tmp-String-0 = "%{sql: SELECT foo from bar WHERE user = %{User-Name} ..."
	}

	switch "%{Tmp-String-0}" {
		case low {
			update reply {
				...
			}
		}
		case high {
			update reply {
				...
			}
		}
	}

  Hope that makes sense.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]