radcheck & NAS-identifier

To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org>
Subject: radcheck & NAS-identifier
From: YvesDM <ydmlog@gmail.com>
Date: Thu, 18 Oct 2007 09:14:49 +0200
Reply-to: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>

Hi,

FR + mysql auth&acct.
Sometimes I need to restrict users or groups to acces a certain NAS.
I use the nas-identifier attribute to recognize the nas
To accomplish this I just add an entry to radcheck or radgroupcheck like this

NAS-identifier != nas-name

This works fine but, sometimes I use radtest directly on the server to test accounts if someone claims he/she is unable to login.
Now for every user/group I've set the above entry in the database, radcheck on the server always returns an acces-reject for some reason.
Though, users can login the nas's they are allowed to and get rejected on the certain nas I've specified, so the setup itself is working.

But I've kind of lost my "account testing utitlity" :-)
I don't understand why radcheck fails on these accounts. I understand radcheck doesn't send any nas-identifier, but I used operator ' ! = '
and not ' ==' so shouldn't the radius accept radtest requests on localhost?
I 'm sure there is a good explanation why radtest returns an Acces-reject, but I'd like to know why and, if possible, if there is a solution/work-around for this.

Many tnx,
Y.

Previous by Date: Freeradius logging w/syslog
Next by Date: Re: accounting update
Previous by Thread: R: Sqlippool & debian - sql_get_socket unresolved symbol
Next by Thread: radius for cisco management
Freeradius-Users October 2007 archives indexes sorted by: [ thread ] [ subject ] [ author ] [ date ]
Freeradius-Users list archive Table of Contents
More information about the Freeradius-Users mailing list

This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc.