Best method to filter on calling-station-ID/IP Address?

D J djohnson50000 at gmail.com
Tue Oct 14 23:14:54 CEST 2008


All,

I have VPN users who connect to a Cisco ASA firewall, which authenticates
using radius off of Freeradius.  I would like to enforce which IP addresses
users may connect from.  Am I correct to assume the Radius server is the
best place to perform this?

If so, what is the best way to go about doing this?  Since our users.conf is
programitcally generated, hopefully the changing part of the configuration
can be isolated to this file?  Below is an example login from the
free-radius server.  I want to filter on "Calling-Station-Id", to enforce a
specified source IP which may vary by user.

Thanks!


rad_recv: Access-Request packet from host 3.3.3.3:1025, id=177, length=157
        User-Name = "john"
        User-Password = "xxxx"
        NAS-Port = xxxx
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Called-Station-Id = "1.1.1.1"
        Calling-Station-Id = "2.2.2.2"
        NAS-Port-Type = Virtual
        Tunnel-Client-Endpoint:0 = "4.4.4.4"
        NAS-IP-Address = 3.3.3.3
        Cisco-AVPair = "ip:source-ip=2.2.2.2N\233"
  Processing the authorize section of radiusd.conf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081014/c3b25beb/attachment.html>


More information about the Freeradius-Users mailing list