Norbert Grochal wrote:
I want to disallow login to access points for every hosts that are not in my network.
So at the end of /usr/local/etc/raddb/users file I put regular expression that checks if Calling-Station-Id IS NOT in list of my hosts... DEFAULT Auth-Type := REJECT, Calling-Station-Id !~ "008012323244|002938475473|<and many other macs...>" Don't do that. It's ugly. Use rlm_passwd. See "man rlm_passwd".
That lets you list all of the MACs in one flat text file, which is a LOT easier to manage by a script than the "users" file.
I still haven't idea how to do it, may you show me any example?
The man page is pretty clear Do something like: modules { passwd mac2ok { filename = /etc/raddb/mac2ok format = "*Calling-Station-Id:~My-Local-String" hashsize = 100 } # other modules } authorize { preprocess mac2ok files # other modules } Make "/etc/raddb/mac2ok" read: 008012323244:ok 002938475473:ok ...then in "users" put: DEFAULT My-Local-String != "ok", Auth-Type := Reject Reply-Message = "calling station id not allowed", Fall-Through = No # Other config items Depending on the version of the server, you might need the following in /etc/raddb/dictionary: ATTRIBUTE My-Local-String 3000 string ...where 3000 can be any number between 3000 and 4000 and My-Local-String is an arbitrary name you can use for a local config attribute.
Is it possible to 'mark' good request and then at the end of users file write
DEFAULT Auth-Type := REJECT, REQUEST_NOT_MARKED
??
Norboro
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html