Post Auth Configurations

Navodit Bhardwaj navodit.bhardwaj at gmail.com
Fri Jul 19 06:29:42 CEST 2013 

Hi
To proceed with unlang, how can I ensure that the Access-Request contains
specific IE.
For example:

   - <IMEI Field>    : 1234567890123
   - <Hardware Id>  : AC12BD54FS56TRZS506
   - etc..

Also, Is there any limitation to number of parameters and size, that can be
contained in any Access-Request?
I wish to compare these field values to my database and if not present in
Request, directly process Reject.

Br, Navodit


On Thu, Jul 18, 2013 at 10:04 PM, Matt Zagrabelny <mzagrabe at d.umn.edu>wrote:

> On Thu, Jul 18, 2013 at 10:46 AM, Alan DeKok <aland at deployingradius.com>
> wrote:
> > Navodit Bhardwaj wrote:
> >> For each Access-Request recieved and authenticated successfully I want
> >> to do following:
> >>
> >>  1. Verify if Access-Request contains a parameter i.e IMEI of mobile
> >>  2. If Not, send Access-Reject. Else,
> >>  3. compare IMEI to value in database and assign a 32bit hex number in
> >> Access-Accept
> >
> >   You should be able to just write this in unlang.  Write down which
> > attributes you have, and what values you're looking for.  Then, write
> > the logic.
>
> Navodit,
>
> I just asked a similar question and this is the logic I added to my
> default site, right after 'preprocess':
>
> if (CVPN3000-Tunnel-Group-Name == 'Bookstore') {
>     if (SQL-Group == 'RADIUS:bookstore') {
>         noop
>     }
>     else {
>         reject
>     }
> }
>
> What the above logic "says" is:
>
> If the user is requesting to be in the Bookstore VPN group then if
> they are part of the RADIUS:bookstore group, continue (noop), else
> reject them.
>
> You'll need to change 'CVPN3000-Tunnel-Group-Name' and 'Bookstore',
> and remove the second 'if' statement.
>
> >> Basically, I am doing a second authentication after initial
> >> authentication (PAP, CHAP) is successful.
> >
> >   Don't do that.  Do it *before* PAP or CHAP.  In the "authorize"
> section.
>
> Alan,
>
> I've got a similar question that dovetails into this discussion.
> Suppose I wanted to reject certain users and wanted the Reply-Message
> to be customized per user authenticating, but I want to ensure that I
> am not leaking the customized message. Is there a way to test the
> user/pw combo first and *then* perform unlang logic?
>
> Thanks,
>
> -mz
>  -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
br,
Navodit Bhardwaj
Hughes Systique Corporation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130719/1c0e3207/attachment.html>

More information about the Freeradius-Users mailing list