Gene Mosley wrote:
Users are authenticating from systems that they should not be authenticating from - we need to block authentication on a per system (IP address) basis, not a per user basis.
You can do this in FreeRADIUS. Put users into different groups, and block the group from accessing particular systems.
Users should be allowed to authenticate from any system that they are using _except_ a certain, specific list of IP addresses which would basically be banned/blocked from authenticating.
This can be done, too.
Is this something that FreeRADIUS can do?
Yes.
I just started reading about it - and if nothing else it looks like exec-program-wait might be used to test the IP address and return an authentication failure?
That will work, too, but will be less efficient. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog