proposed-new-users   [plain text]

Adding new features usually requires adding yet another
file. We already have a slew of files in /etc/raddb, it should be
possible to fold them into one. From radiusd's point of view that
is, by using $INCLUDE statements it would still be possible for
the admin to concentrate different things (like huntgroups) in
a seperate file.

Hints could be done with:

user * {
	check:		Prefix = "U"
	transform:	Strip-User-Name = Yes
	check-add:	Hint = "PPP",
			Service-Type = Framed-User,
			Framed-Protocol = PPP
}

Huntgroups with:

user * {
	check:		NAS-IP-Address = 192.168.2.5
	check:		NAS-IP-Address = 192.168.2.6
	check:		NAS-IP-Address = 192.168.2.7
	auth:		Group = "staff"
	auth:		Group = "cistron"
	check-add:	Huntgroup = alphen
}

Normal entry, but with CLID auth instead of passwd

username remoterouter {
	check:		Service-Type = Framed-User
	auth:		Calling-Station-Id = "55512345"
	reply:		Framed-IP-Address = 192.168.1.2,
			Service-Type = Framed-User,
			Framed-Protocol = PPP
	exec-program:	/usr/local/bin/loggedin
	fallthrough:	no
}

Basically the keywords should be:

check:		all items must match
		Multiple check statements can be present which
		will be ORed (entry applies when one matches)
		If entry doesn't match, the next entry will be tried
auth:		If check matches, authentication will be done.
		If authentication fails we don't fall through ever
reply:		Set the reply message to something
reply-add:	Add something to the existing reply-message
check-add:	Add something to the existing check pairs
fallthrough:	Fall through to the next entry (unless auth failed)
transform:	rules to change the username. Not quite sure how
		to do this yet.
stage:		(auth|acct) to apply at authentication or accounting time