|
osdir.com mailing list archive |
|
Subject: Re: grouping and pool address - msg#00004List: gnu.radius.general> Actually we have three offices and want to do grouping > based on those offices. > Because I want to set different access rules on another firewall box > for each office users. So I need to assign IP address from three different > subnet pool addresses for those three offices. > In additional we know which account belongs to which office. Then the solution is to bind each user to a specific group by his username. Since you prefer to do this in plaintext radius configs (which is ok if for the small number of users), here's a short roadmap: 1. For each user add to your raddb/hints the following record: <username> NULL Hint = <groupname> where <username> is this user name and <groupname> is the name of the group he/she belogns to. For example, following your raddb/users fragment: test1 NULL Hint = Group1 test2 NULL Hint = Group1 test3 NULL Hint = Group2 test4 NULL Hint = Group2 test5 NULL Hint = Group3 test6 NULL Hint = Group3 2. To the beginning of your raddb/users add following entries (it is important that they be placed before any actual user entries): BEGIN NULL Match-Profile = "IPPOOL", Fall-Through = Yes IPPOOL Hint = Group1 Framed-IP-Address = 192.168.1.1+, Framed-IP-Netmask = 255.255.255.255 IPPOOL Hint = Group2 Framed-IP-Address = 192.168.1.65+, Framed-IP-Netmask = 255.255.255.255 IPPOOL Hint = Group3 Framed-IP-Address = 192.168.1.129+, Framed-IP-Netmask = 255.255.255.255 Regards, Sergey Thread at a glance:
Previous Message by Date: click to view message previewAuthenticate users from multiple domains without the user specifying a realm or relying on called-number or NAS IP?The ISP I work for has recently purchased another ISP. We are working to integrate the dial pools. Unfortunately, we don't have PRIs and we don't have caller-id on our T1 dial spans. Currently, the dial spans are located on seperate NAS boxes but I would like to be able to merge the rollover groups so that I can try for a higher user to trunk ratio without getting busy signals. I don't have the RADIUS data merged between the two ISPs yet. I'm currently proxying request with the other ISP's realm. Is it possible to do a proxy on usernames without a realm if it fails to authenticate against the primary domain? -- Scott Lambert KC5MLE Unix SysAdmin lambert@xxxxxxxxxxxxxx Next Message by Date: click to view message previewRe: grouping and pool addressHello Sergey, Thank you for your great support. I tried the below configuration and it was working fine! Best regards, Tomoyasu Maitani On Fri, 14 Apr 2006 09:54:09 EEST "Sergey Poznyakoff" <gray@xxxxxxxxxxxxxxxxxx> wrote: > 1. For each user add to your raddb/hints the following record: > > <username> NULL Hint = <groupname> > > where <username> is this user name and <groupname> is the name of the > group he/she belogns to. For example, following your raddb/users > fragment: > > test1 NULL Hint = Group1 > test2 NULL Hint = Group1 > > test3 NULL Hint = Group2 > test4 NULL Hint = Group2 > > test5 NULL Hint = Group3 > test6 NULL Hint = Group3 > > 2. To the beginning of your raddb/users add following entries (it is > important that they be placed before any actual user entries): > > BEGIN NULL > Match-Profile = "IPPOOL", > Fall-Through = Yes > > IPPOOL Hint = Group1 > Framed-IP-Address = 192.168.1.1+, > Framed-IP-Netmask = 255.255.255.255 > > IPPOOL Hint = Group2 > Framed-IP-Address = 192.168.1.65+, > Framed-IP-Netmask = 255.255.255.255 > > IPPOOL Hint = Group3 > Framed-IP-Address = 192.168.1.129+, > Framed-IP-Netmask = 255.255.255.255 -- KDDI Europe Ltd. Tomoyasu Maitani <maitani@xxxxxxxxxxx> tel:+44-20-7397-1176 fax:+44-20-7600-3088 **************************************************************************** The information contained in this electronic mail message, and any and all accompanying documents, is confidential and may be legally privileged. If you are not the intended recipient of this information, any form of disclosure, distribution, copying or use of this communication or the information in it or in any attachments is strictly prohibited and may be unlawful. If you received this information in error, please notify the sender immediately and delete it and destroy any copies of it. Messages sent via the Internet may be subject to delays and/or unauthorized alteration. Neither KDDI Europe Limited nor any of its affiliates shall be held liable for the contents of this message. **************************************************************************** Previous Message by Thread: click to view message previewRe: grouping and pool addressActually we have three offices and want to do grouping based on those offices. Because I want to set different access rules on another firewall box for each office users. So I need to assign IP address from three different subnet pool addresses for those three offices. In additional we know which account belongs to which office. Best regards, Tomoyasu Maitnai > Tomoyasu Maitani <maitani@xxxxxxxxxxx> wrote: > >> Now I want to do grouping those accounts into two or three groups > > What criteria do you wish to use to determine to which group a user > pertains to? > > Regards, > Sergey > **************************************************************************** The information contained in this electronic mail message, and any and all accompanying documents, is confidential and may be legally privileged. If you are not the intended recipient of this information, any form of disclosure, distribution, copying or use of this communication or the information in it or in any attachments is strictly prohibited and may be unlawful. If you received this information in error, please notify the sender immediately and delete it and destroy any copies of it. Messages sent via the Internet may be subject to delays and/or unauthorized alteration. Neither KDDI Europe Limited nor any of its affiliates shall be held liable for the contents of this message. **************************************************************************** Next Message by Thread: click to view message previewRe: grouping and pool addressHello Sergey, Thank you for your great support. I tried the below configuration and it was working fine! Best regards, Tomoyasu Maitani On Fri, 14 Apr 2006 09:54:09 EEST "Sergey Poznyakoff" <gray@xxxxxxxxxxxxxxxxxx> wrote: > 1. For each user add to your raddb/hints the following record: > > <username> NULL Hint = <groupname> > > where <username> is this user name and <groupname> is the name of the > group he/she belogns to. For example, following your raddb/users > fragment: > > test1 NULL Hint = Group1 > test2 NULL Hint = Group1 > > test3 NULL Hint = Group2 > test4 NULL Hint = Group2 > > test5 NULL Hint = Group3 > test6 NULL Hint = Group3 > > 2. To the beginning of your raddb/users add following entries (it is > important that they be placed before any actual user entries): > > BEGIN NULL > Match-Profile = "IPPOOL", > Fall-Through = Yes > > IPPOOL Hint = Group1 > Framed-IP-Address = 192.168.1.1+, > Framed-IP-Netmask = 255.255.255.255 > > IPPOOL Hint = Group2 > Framed-IP-Address = 192.168.1.65+, > Framed-IP-Netmask = 255.255.255.255 > > IPPOOL Hint = Group3 > Framed-IP-Address = 192.168.1.129+, > Framed-IP-Netmask = 255.255.255.255 -- KDDI Europe Ltd. Tomoyasu Maitani <maitani@xxxxxxxxxxx> tel:+44-20-7397-1176 fax:+44-20-7600-3088 **************************************************************************** The information contained in this electronic mail message, and any and all accompanying documents, is confidential and may be legally privileged. If you are not the intended recipient of this information, any form of disclosure, distribution, copying or use of this communication or the information in it or in any attachments is strictly prohibited and may be unlawful. If you received this information in error, please notify the sender immediately and delete it and destroy any copies of it. Messages sent via the Internet may be subject to delays and/or unauthorized alteration. Neither KDDI Europe Limited nor any of its affiliates shall be held liable for the contents of this message. **************************************************************************** Loading Comments...
|
|
