On 30/03/2017 03:15, wefwe fewfew wrote:
However one thing I'm totally unable to figure out is how I can base authentication on which NAS a user is trying to log in from.
I've been reading the mailing lists, googling, and there are people with similar questions but I've yet to find an answer. Hopefully somebody can give me some pointers:)
Goal:
Have multiple NAS' in remote locations authenticate with a central Freeradius server.
The NAS' will be in remote locations, I won't always know the IP and in some cases they will be using the same IP as they are behind a private network. Setting up radius proxies at the remote locations is not an option.
I was thinking about using the NAS-ID or called-station-id to authenticate instead. The NAS-ID is in the rad_recv request so I'm figuring somehow it must be possible to use that?
I presume you're talking about the NAS-Identifier attribute. If your NAS can be configured to send this, and allows you to set a unique value for each NAS, that's the right way to do what you want. (Often you'd use the NAS-IP-Address attribute instead, but that won't work for you if multiple NASes have the same local IP address) Once you've got an attribute in the incoming request which identifies the NAS, then it's relatively straightforward to do what you want. To start with, you can use unlang in a policy module: e.g. if (&SQL-Group[*] == "staff" && &NAS-Identifier =~ /^(foo|bar)$/) { ... } [Aside: the [*] is there to allow the user to have multiple SQL-Group attributes, and to match if any of them is "staff"] But in practice, you probably want to map a bunch of different NAS-Identifiers to some sort of group attribute so you can create a policy which says "when user is in group X and NAS is in group Y then do Z" There are various ways you could lookup NAS-Identifier to set some group attribute. To do this in SQL, you'd need to create a new instance of the "sql" module, keyed by NAS-Identifier rather than User-Name, and using a different set of tables: sql sql_nas { sql_user_name = "%{NAS-Identifier}" group_attribute = "NAS-SQL-Group" ... also configure to point to a different set of tables } In your authorize { } section you would invoke both "sql" and "sql_nas" modules. The first looks up the username, and the second looks up the NAS-Identifier. Then you can have policy logic like: if (&SQL-Group[*] == "staff" && &NAS-SQL-Group[*] == "dialup") { ... } (Warning: all examples untested) If this is too complicated, then there is another brute-force way you can consider: set up a bunch of radius virtual servers listening on different ports, one for each type of NAS access policy. Then configure each NAS to point to the correct port. HTH, Brian.