NAS-IP-Address modified during Access-Request process
kevin leblanc
kevinzebeste at gmail.com
Tue Jun 23 17:13:05 CEST 2009
On Mon, Jun 22, 2009 at 23:08, Ivan Kalik <tnt at kalik.net> wrote:
> > I installed freeradius 2 but my problem is still there.
> > To remember it :
> >
> > I configured Freeradius to look in openldap directory to authenticate and
> > authorize an user.
> > The authentication phase is OK
> > During the authorize phase, a ldap search is done : if the user is member
> > of
> > a group identified by the host ip he wants to connect, the user is
> > authorized.
> > The problem is here : freeradius receives an Access-Request packet with a
> > NAS-IP-Address (the good one) and to search in the ldap, it doesn't send
> > the
> > ip received in the packet but another one !
>
> Dynamic expansion for Ldap and SQL-Group doesn't work in users file. I can
> replicate this. But it works in unlang:
>
> if(Ldap-Group == "%{NAS-IP-Address}) {
> ...
> }
>
> will work just fine.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
:) It works fine !
To help users who have the same problem, I put these lines in authorize
section :
if(Ldap-Group == "%{NAS-IP-Address}") {
ok
}
else {
reject
}
Thanks !
--
KeV
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090623/c41aa952/attachment.html>
More information about the Freeradius-Users
mailing list