NAS-IP-Address Match Using Groups - Freeradius 3.0

Ope Abe mide.groupon at gmail.com
Fri Feb 21 12:26:44 CET 2020


Hi there,

I am newbie and learning how to use freeradius 3.0 and I wanted to
configure a match criteria in both users file and hints file to perform a
specific action when RADIUS auth requests are received from a specific
range of NAS IP addresses.

I thought this could be done by specifying the regexp for the range of IP
addresses in the hints and users file using the =~ operator e.g.:

*users file*
Default         NAS-IP-Address =~ ^81\.1\.(7[6-9]|8[0-3])\.41$
                    Framed-Protocol := PPP,
                    Tunnel-Preference:1 += 1,
                    Tunnel-Preference:2 += 1,
                    Tunnel-Server-Endpoint:1 += 16.39.255.14,
                    Tunnel-Server-Endpoint:2 += 16.39.255.14

*hints file*
Default         NAS-IP-Address =~ ^81\.1\.(7[6-9]|8[0-3])\.41$
                    User-Name :="%{User-Name}.ppp"

For both cases above, the regexp would match the following IPs:
81.1.76-83.41

My understanding is what I've done would work fine for freeradius 2.x.
However, for freeradius 3.0 I need to create a group and define my list of
NAS IPs under the group which I can then use as a match criteria in the
hints and users file.

I know how to define a new string attribute for the group using the
dictionary file in etc/freeradius/3.0 but I am not sure where I need to
define the NAS IP addresses against the group, and also where I need to set
the group attribute using unlang like this:

update request {
                My-Group := "foo"
        }

I just need someone to help confirm if the steps I've specified below are
correct:

Define new string attribute in etc/freeradius/3.0/dictionary

ATTRIBUTE      NAS-Group    3003   string

in /etc/freeradius/3.0/group_local, I define the following:

lts:81.1.76.41
lts:81.1.77.41
lts:81.1.78.41
lts:81.1.79.41
lts:81.1.80.41
lts:81.1.81.41
lts:81.1.82.41
lts:81.1.83.41

in /etc/freeradius/3.0/mods-available/etc_group, I add the following to the
file:

passwd group_local {
filename = /etc/freeradius/3.0/group_local
format = "NAS-Group:*NAS-IP-Address"
hash_size = 50
ignore_nislike = yes
allow_multiple_keys = no
delimiter = ":"
}

in /etc/freeradius/3.0/sites-enabled/default, I add the following in the
authorize { } section immediately after the preprocess module i.e.:

authorize {
preprocess
update request {
                NAS-Group := "lts"
        }
}

The update users and hints files to reflect the following:

*users file*
Default         NAS-Group == "lts"
                    Framed-Protocol := PPP,
                    Tunnel-Preference:1 += 1,
                    Tunnel-Preference:2 += 1,
                    Tunnel-Server-Endpoint:1 += 16.39.255.14,
                    Tunnel-Server-Endpoint:2 += 16.39.255.14

*hints file*
Default         NAS-Group == "lts"
                    User-Name :="%{User-Name}.ppp"

Does this make any sense at all? Is this the way I need to implement what
I'd like to achieve?

Many thanks in anticipation of your response.

Abe.


More information about the Freeradius-Users mailing list