only unix group teachers logging to freeradius should have switched-of ipcop-url-filter

Alan Buxey A.L.M.Buxey at lboro.ac.uk
Mon Oct 5 11:06:14 CEST 2009


Hi,

> Alle teachers and some pupils with a login-permission p.e. "hartmagi"
> and "goebelle" are able to use the freeradius-login to ipcop-blue of
> our schoolserver. At ipcop an url-filter ist running for _all_ users
> in our ipcop-green- and ipcop-blue-wlan-net, but in the
> ipcop-configuration it is possible to switch of the url-filter for an
> internal ip-range p.e. for a part of the just used
> freeradius-dhcp-range 172.16.19.0
> Now I search for a possibility to switching off the url-filter _only_
> for the unix-group "teachers" in our ipcop-blue-net. -- Is it possible
> to realize that with ippool-tool of freeradius?

whilst I can understand the nature of the IPCop system I dont think that
it understands RADIUS CSA return attributes.... so, whilst you can login
using FR , I dont think the system is designed to put you onto different
networks (which is what you need to use the IPCop range that doesnt have
a filter.).

however, if it DOES allow you to return a specific filter value, then
simply define the value as part of the return attribute for the teacher
group.... or, if it understands IP allocation (and the RADIUS return
attribute is able to influence the IPCop DHCP system) then return the
required IP address range for teacher group (or address per teacher).

however, I would suggest moving to a more robust system - eg 802.1X - where
the login is at network level and you can seperate teacher systems or
login sessions at the network layer so they have access at resource level
in a seperate IP subnet etc - your IPCop then is the router/gateway and
their systems can operate without (or with less) filters.

that said, what age are the students? At certain age range they can be very very
resourceful and so the idea that some systems can access all kinds of
things might be the stimulus they need to want to get access...and basing
access on what could be quite a weak password could be an undoing. I would
say that all people should be restricted to the same filters in that
workplace.... but I dont write your policy  :-)

alan



More information about the Freeradius-Users mailing list