Hoping to be more helpful here, I know how to implement this functionality in freeradius, but only when using a mysql database backend (which is a good idea for most setups using more than about 20 users). I am assuming you want to control user logins to multiple NASes and this is what you meant by "user 'x' can only login to IP addr 'y' and /or 'z'". If you need to just filter traffic based on real network devices, for example where Y and Z are IP addresses on your network, you can safely ignore my first radgroupcheck entry below that restricts NAS choice. If you get a standard mysql setup working, all you need to do is add the user's password to radcheck (for table names "username,attribute,op,value" you should have "bobengineer,User-Password,==,nortel"), and add the user to a group in radgroup (username, group = bobengineer,engineers). then you can set group-specific policies by putting entries in radgroupcheck and radgroupreply, such as...: radgroupcheck: [groupname,attribute,op,value] engineers,NAS-IP-Address,==,11.22.33.44 (all engineers connecting must do so from NAS with IP addrss 11.22.33.44) engineers, Pool-Name,==,engineers_pool (all engineers connecting will be assigned an IP from the 'engineers' IP pool, which means you can firewall them off using IPTables (or the Shorewall frontend to iptables, which I recommend using) or something similar) Basically this provides you with both tools you will need - the ability to restrict where users can log into, and the ability to restrict what IP address users recieve. You'll need to set up rlm_ippool to automatically assign IPs, and you'll want to make sure your NAS devices send accounting packets (accounting start/stop are important - also if accounting stop's aren't sent, you'll run out of IP addresses). Hope this is a little more helpful than the usually flippent replies on the mailing list, I was in the same boat before too :-) thanks, Jan On 16/01/07, Peter Nixon <listuser@peternixon.net> wrote:
Yep. Its called a firewall...
-Peter
On Tue 02 Jan 2007 20:39, Ellis, Scott 1 (N-Comptel Inc.) wrote:
I am using PAM for auth-type in my users file. Is there a simple way to say that user 'x' can only login to IP addr 'y' and /or 'z'? I have groups of engrs, admins, and operators and need to discriminate who can access which device........
Scott
-----Original Message----- From: Ellis, Scott 1 (N-Comptel Inc.) Sent: Tuesday, January 02, 2007 11:40 AM To: 'FreeRadius users mailing list' Cc: Ellis, Scott 1 (N-Comptel Inc.) Subject: RE: How to restrict users /PAM to specific NAS devices??
I have looked it over, but I am still not clear. I was thinking that I could use huntgroups to map devices to specific groups, but then I am not clear on how to restrict users ('users' file) to those groups. I know this has probably been done most everywhere in one form or another. Any examples that show the actual entries in the approp. files?
Thanks, Scott
-----Original Message----- From: freeradius-users-bounces+scott.1.ellis=lmco.com@lists.freeradius.org [mailto:freeradius-users-bounces+scott.1.ellis=lmco.com@lists.freeradius .org] On Behalf Of Alan DeKok Sent: Tuesday, January 02, 2007 9:43 AM To: FreeRadius users mailing list Subject: Re: How to restrict users /PAM to specific NAS devices??
Ellis, Scott 1 (N-Comptel Inc.) wrote:
I am using PAM for Auth-Type. I want to be able to either 1) restrict the devices the user has access to (admins,operators, etc) by username and/or 2) preferably carve into groups my network gear/NAS devices and then assign users to
groups.
See "man rlm_passwd". It's documentation describes how to create groups like this.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html