NAS-Identifier and radgroupcheck table

Arrigo Savio a.savio at bascom.it
Mon Jan 5 15:02:52 CET 2009 

Hi everybody.
I'm configuring FreeRADIUS Version 2.1.1 on a Fedora 9 server.
I'm trying to create different groups containing different users. The final
result is to differentiate radius checks depending on which service users
are trying to authenticate.

For example:
user1 at realm1 (in radius group1) coming from NAS_IP_1 
user2 at realm2 (in radius group2) coming from NAS_IP_2
I want to add a check that block authentication of user2 if he tries to
authenticate from NAS_IP different from NAS_IP_2

I can do it (correctly) adding NAS-Identifier attribute in radcheck table
for the single user. I want extend this thing to radgroupcheck table, so
that I must not add the specific attribute for each user, but it will be
enough to add it only one time in radgroupcheck table, for the group the
user belongs to.

Now I have NAS-Identifier attribute in group table, but it is ignored and
the user can connect from different NAS.

Here my table situation:

mysql> select * from radcheck;
+----+----------+--------+--------------------+----+---------+
| id | username | realm  | attribute          | op | value   |
+----+----------+--------+--------------------+----+---------+
|  3 | user1    | realm1 | Cleartext-Password | := | passwd1 |
|  4 | user2    | realm1 | Cleartext-Password | := | passwd2 |
+----+----------+--------+--------------------+----+---------+

mysql> select * from radgroupcheck;
+----+-----------+----------------+----+----------+
| id | groupname | attribute      | op | value    |
+----+-----------+----------------+----+----------+
|  5 | group1    | NAS-Identifier | != | 10.0.0.1 |
|  6 | group2    | NAS-Identifier | != | 10.0.1.1 |
+----+-----------+----------------+----+----------+

mysql> select * from radusergroup;
+----------+--------+-----------+----------+
| username | realm  | groupname | priority |
+----------+--------+-----------+----------+
| user1    | realm1 | group1    |        1 |
| user2    | realm2 | group2    |        1 |
+----------+--------+-----------+----------+

Can anyone help me to solve this problem?
Thanks,
Arrigo.

More information about the Freeradius-Users mailing list