Require NAS dependant radius return attributes

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|

Require NAS dependant radius return attributes

B Thompson
> Ben Thompson wrote:
>
> > The trouble is I need to assign different VLAN's to users depending
> > which access point they connect from. What I would like to know is if it
> > is possible to use Huntgroups to look up the VLAN id based on something
> > like the IP address of the access point?
>
> You could test the variable "Client-IP-Address" in the users file.
>
> testuser Client-IP-Address == 10.0.0.1, Password := "azerty"
> Tunnel-Private-Group-ID:1 := 1,
> Fall-Through = Yes
>
> testuser Client-IP-Address == 10.0.0.2, Password := "azerty"
> Tunnel-Private-Group-ID:1 := 2,
> Fall-Through = Yes
>
> --
> Nicolas Baradakis

Hi

Thanks for that advice. I can see that I could end up with a very large
users file using this method. Is there any limit on the size of the
users file? In the near future we may have something like 800000 entries
in there. Is this where you would normally look to use a database
backend?

Thanks

Ben


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Require NAS dependant radius return attributes

Alan DeKok
Ben Thompson <[hidden email]> wrote:
> Thanks for that advice. I can see that I could end up with a very large
> users file using this method. Is there any limit on the size of the
> users file?

  Memory.  Also, the CPU time required to walk it's internal
representation (linked list).

> In the near future we may have something like 800000 entries in
> there. Is this where you would normally look to use a database
> backend?

  Yes.  Or, if the mappings are relatively simple, you could look at
rlm_passwd, which does simple mappins.  It uses a hash to look up
data, so it should be fast.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Require NAS dependant radius return attributes

B Thompson
On Wed, 2005-08-17 at 10:51 -0400, Alan DeKok wrote:

> Ben Thompson <[hidden email]> wrote:
> > Thanks for that advice. I can see that I could end up with a very large
> > users file using this method. Is there any limit on the size of the
> > users file?
>
>   Memory.  Also, the CPU time required to walk it's internal
> representation (linked list).
>
> > In the near future we may have something like 800000 entries in
> > there. Is this where you would normally look to use a database
> > backend?
>
>   Yes.  Or, if the mappings are relatively simple, you could look at
> rlm_passwd, which does simple mappins.  It uses a hash to look up
> data, so it should be fast.
>
>   Alan DeKok.

Hi

Thanks for the info, I will have a look at rlm_passwd.

Meanwhile I have tested a setup using the huntgroups file combined with
the use of mutliple DEFAULT entries in the users file like this :-

huntgroups file >>>>

group1 NAS-Identifier == "accesspoint5"
group1 NAS-Identifier == "accesspoint2"

group2 NAS-Identifier == "switch6"
group2 NAS-Identifier == "switch3"

etc..

>>>>



users file >>>>

user1 NT-Password := "35C8397B2320E568467904961A2AF40F"
        Fall-Through = Yes

user2 NT-Password := "35C8397B2320E568467904961A2AF40F"
        Fall-Through = Yes


DEFAULT
        Tunnel-Type:1 := VLAN,
        Tunnel-Medium-Type:1 := IEEE-802,
        Fall-Through = Yes

DEFAULT Huntgroup-Name == group1
        Tunnel-Private-Group-ID:1 := 3970,
        Fall-Through = Yes

DEFAULT Huntgroup-Name == group2
        Tunnel-Private-Group-ID:1 := 4025

>>>>


This cuts the potential size of my users file down to about 20000
entries and the huntgroups file to about 50 entries. Does this sound
reasonable? I am currently running on a dual Xeon 2.8Ghz with 2GB of RAM
which is dedicated to running FreeRADIUS.

Many Thanks

Ben Thompson


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Require NAS dependant radius return attributes

Alan DeKok
Ben Thompson <[hidden email]> wrote:
> This cuts the potential size of my users file down to about 20000
> entries and the huntgroups file to about 50 entries. Does this sound
> reasonable?

  Yes.  But also:

> user2 NT-Password := "35C8397B2320E568467904961A2AF40F"
>         Fall-Through = Yes

  If that's all you're doing with usernames, I'd still suggest using
rlm_passwd.  It'll be a lot easier to manage, and faster, too.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html