Hoping to be more helpful here, I know how to implement this functionality in freeradius, but only when using a mysql database backend (which is a good idea for most setups using more than about 20 users). <br><br>I am assuming you want to control user logins to multiple NASes and this is what you meant by "user 'x' can only login to IP addr 'y' and /or 'z'". If you need to just filter traffic based on real network devices, for example where Y and Z are IP addresses on your network, you can safely ignore my first radgroupcheck entry below that restricts NAS choice.
<br>If you get a standard mysql setup working, all you need to do is add the user's password to radcheck (for table names "username,attribute,op,value" you should have "bobengineer,User-Password,==,nortel"), and add the user to a group in radgroup (username, group = bobengineer,engineers). then you can set group-specific policies by putting entries in radgroupcheck and radgroupreply, such as...:
<br><br>radgroupcheck: [groupname,attribute,op,value]<br>engineers,NAS-IP-Address,==,<a href="http://11.22.33.44">11.22.33.44</a> (all engineers connecting must do so from NAS with IP addrss <a href="http://11.22.33.44">
11.22.33.44</a>)<br>engineers, Pool-Name,==,engineers_pool (all engineers connecting will be assigned an IP from the 'engineers' IP pool, which means you can firewall them off using IPTables (or the Shorewall frontend to iptables, which I recommend using) or something similar)
<br><br>Basically this provides you with both tools you will need - the ability to restrict where users can log into, and the ability to restrict what IP address users recieve. You'll need to set up rlm_ippool to automatically assign IPs, and you'll want to make sure your NAS devices send accounting packets (accounting start/stop are important - also if accounting stop's aren't sent, you'll run out of IP addresses).
<br><br>Hope this is a little more helpful than the usually flippent replies on the mailing list, I was in the same boat before too :-)<br><br>thanks,<br><br>Jan<br><br><br><div><span class="gmail_quote">On 16/01/07, <b class="gmail_sendername">
Peter Nixon</b> <<a href="mailto:listuser@peternixon.net">listuser@peternixon.net</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Yep. Its called a firewall...<br><br>-Peter<br><br>On Tue 02 Jan 2007 20:39, Ellis, Scott 1 (N-Comptel Inc.) wrote:<br>> I am using PAM for auth-type in my users file. Is there a simple way to<br>> say that user 'x' can only login to IP addr 'y' and /or 'z'? I have
<br>> groups of engrs, admins, and operators and need to discriminate who can<br>> access which device........<br>><br>> Scott<br>><br>> -----Original Message-----<br>> From: Ellis, Scott 1 (N-Comptel Inc.)
<br>> Sent: Tuesday, January 02, 2007 11:40 AM<br>> To: 'FreeRadius users mailing list'<br>> Cc: Ellis, Scott 1 (N-Comptel Inc.)<br>> Subject: RE: How to restrict users /PAM to specific NAS devices??<br>
><br>> I have looked it over, but I am still not clear. I was thinking that I<br>> could use huntgroups to map devices to specific groups, but then I am<br>> not clear on how to restrict users ('users' file) to those groups. I
<br>> know this has probably been done most everywhere in one form or another.<br>> Any examples that show the actual entries in the approp. files?<br>><br>> Thanks,<br>> Scott<br>><br>> -----Original Message-----
<br>> From:<br>> freeradius-users-bounces+scott.1.ellis=<a href="mailto:lmco.com@lists.freeradius.org">lmco.com@lists.freeradius.org</a><br>> [mailto:<a href="mailto:freeradius-users-bounces+scott.1.ellis=lmco.com@lists.freeradius">
freeradius-users-bounces+scott.1.ellis=lmco.com@lists.freeradius</a><br>> .org] On Behalf Of Alan DeKok<br>> Sent: Tuesday, January 02, 2007 9:43 AM<br>> To: FreeRadius users mailing list<br>> Subject: Re: How to restrict users /PAM to specific NAS devices??
<br>><br>> Ellis, Scott 1 (N-Comptel Inc.) wrote:<br>> > I am using PAM for Auth-Type.<br>> > I want to be able to either 1) restrict the devices the user has<br>> > access to (admins,operators, etc) by username and/or 2) preferably
<br>> > carve into groups my network gear/NAS devices and then assign users to<br>><br>> groups.<br>><br>> See "man rlm_passwd". It's documentation describes how to create<br>> groups like this.
<br>><br>> Alan DeKok.<br>> --<br>> <a href="http://deployingradius.com">http://deployingradius.com</a> - The web site of the book<br>> <a href="http://deployingradius.com/blog/">http://deployingradius.com/blog/
</a> - The blog<br>> -<br>> List info/subscribe/unsubscribe? See<br>> <a href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a><br>> -<br>> List info/subscribe/unsubscribe? See
<br>> <a href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a><br><br>--<br><br>Peter Nixon<br><a href="http://www.peternixon.net/">http://www.peternixon.net/</a><br>PGP Key: <a href="http://www.peternixon.net/public.asc">
http://www.peternixon.net/public.asc</a><br><br><br>-<br>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a><br><br><br></blockquote></div>
<br>