Sure can.
So the way it works in FreeRadius is in a few stages.
1. It will authorize the user,
2. It will authenticate the user,
3. Finally you can do post-auth manipulation. All of this happens before RADIUS sends an Access-Accept, or Access-Reject.
In this case, I am working in the post-auth section.
Since we have multiple types of devices that require different login types (think: Wireless, 802.1x, VPN, switch management), the easiest way to match what I want is via the literal nas name and login-type.
My configuration looks something like this:
post auth {
if (LDAP-Group == admin-L15) {
update reply {
Service-Type := Administrative-User
}
}
elsif (LDAP-Group == admin-L1) && (NAS-Identifier == controller-b) {
update reply {
Service-Type := Administrative-User
}
}
else {
reject
}
}
Its pretty cool actually.
Dave