catch-all line at the end of users file?
tnt at kalik.co.yu
tnt at kalik.co.yu
Wed Jun 6 16:38:45 CEST 2007
If the request cones from a device that isn't in your clents.conf it
will be rejected, so you needn't bother with all this. Server doesn't
accept packets from unknown devices. It's a basic security feature.
Ivan Kalik
Kalik Informatika ISP
Dana 6/6/2007, "Brian Johnson" <voyager.106 at gmail.com> piše:
>Hello again all,
>
>Thanks to the folks who responded to my earlier plea with regards to
>authenticating many Cisco devices using radius. I'm trying to weigh
>my options and see which direction I want to go.
>
>One Idea I had after sending mail to the list was, have a sort of
>"catch-all" line at the end of the users file, so that if the radius
>server hears a request from a device where the client-ip-address isn't
>specified already in the file, it would look in our custom group file
>for authorized users and allow them entry. Here's an idea of what I'm
>thinking:
>
>
>DEFAULT Auth-Type = Kerberos
> Fall-Through = 1
>DEFAULT Client-IP-Address == 10.0.0.60, Huntgroup-Name == group1
>DEFAULT Client-IP-Address == 10.0.0.226, Huntgroup-Name == group2
>DEFAULT Called-Station-Id == 5551234, Custom-Group == "dept800"
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Framed-Routing = Broadcast-Listen,
> Framed-MTU = 1500,
> Session-Timeout = 28800,
> Idle-Timeout = 28800,
> Framed-Compression = Van-Jacobson-TCP-IP
>DEFAULT Called-Station-Id == 5551234, Auth-Type := Reject
>....
>and at the end:
>DEFAULT Custom-Group == "routerfolk"
>DEFAULT Auth-Type := Reject
>
>My thinking is, if the request comes from a device where the
>client-ip-address is specified, then it will let it through. If it
>comes from a device where the client-ip-address is not specified, then
>it will hit the next to the last line of the file, check the
>custom-group file and see if the user exists in it. If they do,
>they're authenticated on the device. If they don't exist in the file,
>then they'll hit the last line and be rejected.
>
>However, what I've found in practice is, even if a request is heard
>from a device where the client-ip-address is specified above, they're
>still being rejected by the last line. Is there any way that I can
>tell the last line to reject *only* if there isn't a match previous to
>it?
>
>Thanks again for any help!
>
>Brian
>
>
>--
>Brian Johnson
>"And I will be even more undignified than this, and will be humble in
>my own sight." (2 Samuel 6:22)
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
More information about the Freeradius-Users
mailing list