This puts it into the access-request and the radius server sees itrad_recv: Access-Request packet from host 127.0.0.1:32770, id=106, length=79User-Name = "joe" User-Password = "testing" incoming-req-uri = "http://www.blibble.net/path_to"; Processing the authorize section of radiusd.confNow, I can extend the radcheck table to include the URL and add that into the sql query as defined in mysql.conf, but how do I get freeradius to authenticate on the triple?
This is simple to implement in the users file (files module) and should be easy as well in the mysql backend (though I don't have experience on this one).
You'll have to define specific rules that check both authentication and your attribute for your Cisco 'web device'. I propose to define a Huntgroup for your cisco web devices and then you can add rules like these ones:
DEFAULT Huntgroup-Name == My-Cisco, incoming-req-uri != "http://www.blibble.net/path_to";, Auth-Type := Reject
Fall-Through = noDEFAULT Huntgroup-Name == My-Cisco, incoming-req-uri == "http://www.blibble.net/path_to";
Fall-Through = no In order to implement these rules directly in mysql see the doc/rlm_sql file. If this does not work, stop the radius server and then run it in debug mode: /etc/init.d/radiusd stop radiusd -X ...Then run your Radius authentication request and send the debug log to the list.
HTH, Thibault