Authenticate/Attributes based on NAS-IP-Address

N White nwtech at tele-net.net
Wed Jun 8 04:20:28 CEST 2005


Dustin Doris wrote:

>On Tue, 7 Jun 2005, N White wrote:
>
>  
>
>>Well, thanks for the input. With MySQL, 1500 users is easier to
>>maintain. Perhaps I should just run a second FreeRADIUS server for the
>>second NAS. It means more equipment, but whatever it takes.
>>
>>-Nick
>>    
>>
>
>You don't need to do that, you can do it with SQL in one server.  First,
>work on reading the documentation and installing the server and setting up
>mysql for authorization.  Once you've got that down, then move on to the
>reply values and groups if you want them.
>
>Alan gave you a good start with the users file entries.  Read man 5 users,
>that will tell you about the users file.  You'll take that info and
>transfer it to sql.
>
>It would look something like this.
>
>users file only format
>bob     NAS-IP-Address == foo, Pool-Name := "foo"
>
>bob     NAS-IP-Address == bar
>        Framed-IP-Address := 1.2.3.4
>
>
>SQL Format.
>
>in the users file
>
>DEFAULT NAS-IP-Address == foo, Pool-Name := "foo"
>
>This says any user from that nas-ip will have Pool-Name set to foo.  That
>is what ippool will use to assign ips.
>
>in radiusd.conf, in your ip_pool section be sure to include.
>
>override = no
>
>That makes it so a dynamic ip from ippool will not override one statically
>assigned to the user as a reply value.
>
>In sql in the radcheck table you put your users and their passwords.  In
>radreply you put the users and their static ip.
>
>for example,
>
>insert into radcheck (username,attribute,value,op) VALUES
>('bob','User-Password','bobspassword','==');
>
>insert into radreply (username,attribute,value,op) VALUES
>('bob','Framed-IP-Address','1.1.1.1',':='),
>('bob','Framed-IP-Netmask','255.255.255.0',':=');
>
>
>That should give you a good start.  Get it setup and if you run into
>problems post radiusd -X to the list and describe what you are trying to
>do.
>
>You can add groups into if you want but right now you probably won't need
>it.
>
>Hope that is helpful.
>
>Dusty Doris
>
>
>- 
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>__________ NOD32 1.1132 (20050607) Information __________
>
>This message was checked by NOD32 antivirus system.
>http://www.eset.com
>
>
>
>  
>
Actually I already have two running FreeRADIUS servers with SQL. That 
isn't the hard part. The problem with your instructions is that I'm not 
using ippool to assign dynamic IPs, our NASes are doing that (Portmaster 
2/3). I don't have a problem setting up static IPs either, as we have 
several Dial-Up users who need those also. The problem lies in that I 
want to use the RADIUS server for PPPoE authentication also. But I want 
to allow users who log in through PPPoE to also be able to log in 
regularly(Dial-Up), when their PPPoE isn't logged in. BUT, when they log 
in through PPPoE, I want them to be assigned a static IP, when they 
login via Portmasters/Dial-Up, then they don't get the static IP, they 
get a regular dynamic one.
Basically if a user logs in through NAS1, they are assigned X attributes 
with dynamic IP, if they log in through NAS2, they are assigned Y 
attributes with a static IP. And all this needs to be done in MySQL, 
that way my own PHP frontend(which I intend to release GPL) can work 
with it. Also I think MySQL scales better.

-Nick

-- 
------------------------
| Nick White           |
| Network Consultant   |
| http://www.edge9.net |
| nwtech at tele-net.net  |
------------------------




More information about the Freeradius-Users mailing list