-----Message d'origine-----
De : freeradius-users-bounces+thibault.lemeur=supelec.fr@lists.freeradius.org [mailto:freeradius-users-bounces+thibault.lemeur=supelec.fr@lists.freeradius.org] De la part de jerrrry@voila.fr
Envoyé : vendredi 1 décembre 2006 17:16
À : freeradius-users@lists.freeradius.org
Objet : differentiating radius attribute
Hi everybody,I'm using freeradius to authenticate and authorize users to cisco switches/routers/FW.
My issue is that i want to do aaa for 3 things on the same device: device administrators login (telnet), for 802.1x EAP/MD5 (, and to manage firewall FWSM ACLs (radius attribute in the response: filter-id=acl_name).My question is how to differentiate this 3 needs by a radius attribute in the request, to be able to send in the response only the good radius authorization attribute depending on aaa type asking.
Could you run the radius server in debug mode (radius -X), and check what Attributes are present in the Request. May be something like Service-Type, Framed-Protocol, and NAS-Port could be used.
For instance this is a request from a PPP server:
rad_recv: Access-Request packet from host A.B.C.D:32776, id=171, length=136
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "MyLogin"
MS-CHAP-Challenge = 0xXXXXXX
MS-CHAP2-Response = 0xXXXXXXXX
NAS-IP-Address = X.Y.Z.T
NAS-Port = 0And this is a request from a WiFi access (not on the same NAS though):
rad_recv: Access-Request packet from host A.B.C.D:1030, id=1, length=213
Message-Authenticator = 0xXXXXXXXXXXXXXXXX
Service-Type = Framed-User
User-Name = "anonymous"
Framed-MTU = 1492
State = 0xXXXXXXXXX
Called-Station-Id = "MACADDR:SSID"
Calling-Station-Id = "MACADDR"
NAS-Identifier = "AP_Name"
NAS-Port-Type = Wireless-802.11
Connect-Info = "802.11g"
EAP-Message = 0xXXXXXXXX
NAS-IP-Address = X.Y.Z.T
NAS-Port = 1
NAS-Port-Id = "STA port # 1"Check also in your NAS setup if you can add specific attributes to the Request depending on the service used.
HTH,
Thibault