RADIUS configuration based on source IP
Morty
morty at frakir.org
Wed Aug 31 03:06:45 CEST 2011
On Tue, Aug 30, 2011 at 06:43:40PM +0200, Arran Cudbard-Bell wrote:
> On 30 Aug 2011, at 18:21, Morty wrote:
> > but this device apparently also doesn't set
> > NAS-IP-Address or NAS-Identifier, so the usual huntgroup mechanism
> > doesn't work.
> Then its not in compliance with RFC 2865 and you should go beat
> Cisco up about it.
Yup, we've been pursuing that angle in parallel. :) I figured/hoped,
though, that someone else had already been through this and that there
was a workaround. The Packet-Src-IP-Address you describe below sounds
like just the ticket.
> Can't you include both AVPs with the += operator? Or does the Cisco
> device throw a hissy fit?
I had tried sending both. The Cisco devices threw a hissy fit. :) Or
more specifically, they ignored whichever attribute was second.
Whichever order I put the VSAs in, I wasn't able to get read-write on
something.
> If the packets aren't going through a proxy or NAT then you can use
> Packet-Src-IP-Address instead of NAS-IP-Address.
Excellent, thanks!
Proxies are not an issue today. They may be an issue in the future,
though. It's likely that my proxy will itself by running freeradius.
Does Client-IP-Address have the same problem with proxies? If yes, is
there a workaround I can use on the proxy itself to populate
NAS-IP-Address based on Packet-Src-IP-Address?
> Oh come on the Cistron page hasn't received any love since 06, you
> know you want to switch :)
Oh, I *definitely* want to switch. :)
- Morty
More information about the Freeradius-Users
mailing list