NAS-IP-Address Match Using Groups - Freeradius 3.0

Ope Abe mide.groupon at gmail.com
Fri Feb 21 15:18:59 CET 2020


Thanks Alan for the tip, this is what I've done and it works as expected
for what I was trying to achieve:

>Or, you can use "unlang", and do a network mask check, or a regular
expression check in "unlang".

Define new string attribute in etc/freeradius/3.0/dictionary

ATTRIBUTE      NAS-Group    3003   string

in /etc/freeradius/3.0/sites-enabled/default, I add the following in the
authorize { } section immediately before the preprocess module as the
NAS-Group value will be used in the hints file to apply a suffix to the
username i.e.:

authorize {
if (NAS-IP-Address =~ /^81\.1\.(7[6-9]|8[0-3])\.41$/) {
update request {
NAS-Group := "lts"
        }
}
preprocess
}

The updated users and hints files to reflect the following:

users file
Default         NAS-Group == "lts"
                    Framed-Protocol := PPP,
                    Tunnel-Preference:1 += 1,
                    Tunnel-Preference:2 += 1,
                    Tunnel-Server-Endpoint:1 += 16.39.255.14,
                    Tunnel-Server-Endpoint:2 += 16.39.255.14

hints file
Default         NAS-Group == "lts"
                    User-Name :="%{User-Name}.ppp"

For request which don't match the NAS-IP-Address specified in the regexp
match, alternative default values were applied. Thanks for the tip, I'm
really grateful.



On Fri, 21 Feb 2020 at 13:21, Alan DeKok <aland at deployingradius.com> wrote:

> On Feb 21, 2020, at 12:26 PM, Ope Abe <mide.groupon at gmail.com> wrote:
> > I am newbie and learning how to use freeradius 3.0 and I wanted to
> > configure a match criteria in both users file and hints file to perform a
> > specific action when RADIUS auth requests are received from a specific
> > range of NAS IP addresses.
> >
> > I thought this could be done by specifying the regexp for the range of IP
> > addresses in the hints and users file using the =~ operator e.g.:
>
>   v3 doesn't support regular expressions in the "users" file.
>
> > My understanding is what I've done would work fine for freeradius 2.x.
> > However, for freeradius 3.0 I need to create a group and define my list
> of
> > NAS IPs under the group which I can then use as a match criteria in the
> > hints and users file.
>
>   Or, you can use "unlang", and do a network mask check, or a regular
> expression check in "unlang".
>
> > Does this make any sense at all? Is this the way I need to implement what
> > I'd like to achieve?
>
>   That should work.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list