tnt@kalik.co.yu wrote:
Yes. Use NAS-IP-Address as check item. If you need a list of groups and/or users/callerIDs/etc. that are allowed then use a huntgroup.
I added the following lines to huntgroup. fw-pix NAS-IP-Address == 10.0.0.1 fw-pix NAS-IP-Address == 10.0.0.2 fw-pix-group NAS-IP-Address == 10.0.0.1 User-Name = fw-admin, Group = fw-group However, I'm getting the following error. Could someone please give me few pointers? Norman --- Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 5 ID 25 with timestamp 46362f79 Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 26 to 10.0.0.1:1812 Cisco-AVPair = "shell:priv-lvl=1" Waking up in 4 seconds... rad_recv: Access-Request packet from host 10.0.0.1:1812, id=27, length=109 User-Name = "fw-admin" NAS-IP-Address = 10.0.0.1 Calling-Station-Id = "10.0.0.3" User-Password = "\025\372\202`\370RE\005\327\231^\200\303\353" NAS-Port = 27 Cisco-AVPair = "ip:source-ip=10.0.0.3" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "fw-admin", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 7 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 7 modcall: group authorize returns ok for request 7 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_unix: [fw-admin]: invalid password modcall[authenticate]: module "unix" returns reject for request 7 modcall: group authenticate returns reject for request 7 auth: Failed to validate the user. Login incorrect: [fw-admin] (from client pix-network port 27 cli 10.0.0.3) WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! Delaying request 7 for 1 seconds Finished request 7 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 6 ID 26 with timestamp 46362f7e Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 27 to 10.0.0.1:1812 Cisco-AVPair = "shell:priv-lvl=1" Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 7 ID 27 with timestamp 46362f83 Nothing to do. Sleeping until we see a request.