<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman, new york, times, serif;font-size:12pt"><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;">Alan,<br> Thank you very much for the information.<br><br> What I am looking for is to allow a user ("bob") to authenticate from any system he uses UNLESS that system is blocked from authenticating.<br><br> I mean "bob" could authenticate from "server1" but not from "server2" - restricting it (somehow) by the IP address of the source - not by the user account.<br><br> Nobody could authenticate from "server2" - anyone could authenticate from "server1" (with valid credentials).<br><br> It seems that AIX RADIUS cannot do this - can FreeRADIUS?<br><br> Someone else suggested using IPTables to not allow "server2" to talk to the RADIUS
server - but I thought that the communication was from the firewall to the RADIUS server, not from the user system (although I will be looking into this).<br><br> Anyway - to recap/summarize:<br><br> Can FreeRADIUS be configured to allow/disallow authentication based on the source IP address that the user is coming from and NOT the user account itself (allowing "bob" to authenticate from "server1" which is not 'banned', but not allowing "bob" to authenticate from "server2" which is 'banned')?<br> And, if so - how?<br><br><br><br><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;">----- Original Message ----<br>From: Alan DeKok <aland@deployingradius.com><br>To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org><br>Sent: Thursday, December 21, 2006 12:48:50 PM<br>Subject: Re: Questions from a totally ignorant n00b<br><br><div>Gene Mosley wrote:<br>>
Alan,<br>> Could you perhaps give me a hint about how one would go about<br>> allowing any user from any system (_unless_ that system is listed for<br>> the specific purpose of not allowing anyone to authenticate from it) to<br>> authenticate?<br><br> You've phrased the problem in a very complicated way.<br><br> By default, any user is allowed to authenticate from any NAS. You<br>don't have to do anything to enable this behavior.<br><br> If you want NO ONE to authenticate from a particular NAS, then don't<br>list the NAS IP address in clients.conf.<br><br> If you want only SOME people to authenticate from a particular NAS,<br>see the FAQ.<br><br><a target="_blank"
href="http://wiki.freeradius.org/index.php/FAQ#How_do_I_deny_access_to_a_specific_user.2C_or_group_of_users.3F">http://wiki.freeradius.org/index.php/FAQ#How_do_I_deny_access_to_a_specific_user.2C_or_group_of_users.3F</a><br><br> Alan DeKok.<br>--<br> <a target="_blank" href="http://deployingradius.com">http://deployingradius.com</a> - The web site of the book<br> <a target="_blank" href="http://deployingradius.com/blog/">http://deployingradius.com/blog/</a> - The blog<br>- <br>List info/subscribe/unsubscribe? See <a target="_blank" href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a><br></div></div><br></div></div></body></html>