jonr@destar.net wrote:
Quoting Alan DeKok <aland@deployingradius.com>:And yes, I cover all of this in my book, which will be done real soon now...This is the book I am waiting to read. The O'Reilly book is a good primer but really doesn't get to the meat of what Radius can do.You can do: bob Calling-Station-Id != "0001....", Auth-Type := RejectCould I also do: bob password = "neil", Calling-Station-Id != "0001....", Auth-Type := Reject So that both pieces of information have to be present to be authenticated?
No, that would always reject the user. You could do this:
bob Calling-Station-Id != "0001....", Auth-Type := Reject
bob User-Password := "neil"
Can you instead use rlm_checkval like this:
modules {
passwd user2allowedmacs {
filename = /etc/raddb/user2allowedmacs
format = "*User-Name:Calling-Station-Id"
hashsize = 100
allowmultiplekeys = yes
}
checkval usermacs {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
notfound-reject = yes
}
}
authorize {
preprocess
user2allowedmacs
usermacs
# other stuff
}
/etc/raddb/user2allowedmacs:
user1:001122334455
user1:aabbccddeeff
user2:0123456789ab
...I think that ought to work?