Username/Host authorization

Alan DeKok aland at deployingradius.com
Mon Jun 24 15:34:16 CEST 2013


nicolas.clo at ricoh-industrie.fr wrote:
> We want two authorization in the same times, for example, to ensure that
> user not used his iPhone with his DOMAIN/UserName account.

  That is fairly vague.  You're working with computers.  Be specific.

  WHAT is in an Access-Request when they login using a desktop?

  WHAT is in an Access-Request when they login using their phone?

  HOW are the two requests different?

  Once you know that, it should be easy to create rules which can
distinguish one from the other.  And then apply different rules to each one.

> Mac Authorization is not a good way for us ( Too restrictive to keep up
> to date )
> Authorization by certificat too because we have a lot of hosts which
> doesn't support that.

  You're limited by what is in the Access-Request.  If the only
difference between a desktop and iPhone is a MAC address, too bad.
Computers aren't magic.

  My guess is that the only thing which will really work is MAC address
filtering.  I'd suggest finding a way to make it manageable.

  Alan DeKok.


More information about the Freeradius-Users mailing list