user from particular NAS-IP-Address
I'm trying to restrict a guest user from a single NAS-IP-Address via "users" and I can't get it to work. Doesn't work: test NAS-IP-Address == "127.0.0.1" Auth-Type := Accept test NAS-IP-Address == "127.0.1.1" Auth-Type := Accept Works, but it isn't restricted by NAS: test Auth-Type := Accept I've also tried "Calling-Station-ID == 127.0.1.1" to no avail. Also, how would I do this for a group of NAS IP addresses? Is it possible to assign them to a group in "clients.conf" that can be later checked against in "users"? Where is the documentation of what can be tested against in the "users" file?
Pete Ashdown wrote:
I'm trying to restrict a guest user from a single NAS-IP-Address via "users" and I can't get it to work.
Doesn't work:
test NAS-IP-Address == "127.0.0.1" Auth-Type := Accept
That's wrong. Why? See the debug output. It *tells* you what's wrong, and how to fix it. See "man users". It *documents* the format of the "users" file. See the sample "raddb/users" file. Look for "Auth-Type". There are *examples* of how to do this.
Also, how would I do this for a group of NAS IP addresses? Is it possible to assign them to a group in "clients.conf" that can be later checked against in "users"?
See raddb/huntgroups. You can group NASes, and check the group membership later.
Where is the documentation of what can be tested against in the "users" file?
What does that mean? "man users" describes how the "users" file works. After that, if you get something wrong, the debug output will tell you. You *did* run the server in debugging mode, as suggested in the FAQ, README, "man" page, and daily on this list? Alan DeKok.
On Sat, May 25, 2013 at 06:23:44PM -0400, Alan DeKok wrote:
You *did* run the server in debugging mode, as suggested in the FAQ, README, "man" page, and daily on this list?
Yes I did, over a period of about 3 hours of trial and error before banging my head against: [...] [files] users: Matched entry test at line 86 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. [...] I also searched via Google site:lists.freeradius.org because Mailman's archive sucketh and found similar recriminations to RTFM and run "radiusd -X". I didn't see a freeradius-newbs list, so I assumed freeradius-users was welcoming like other users mailing lists. I'll unsubscribe now and go back to the trial and error. Sorry to have wasted your time.
Hi,
[files] users: Matched entry test at line 86 ++[files] returns ok
and what is that entry?
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
what type of authentication is this?
sucketh and found similar recriminations to RTFM and run "radiusd -X". I
you'll read that its not just 'run radiusd -X' - theres also the part about giving that information to the list. not just a tiny snippet. there is an expectation that SOME effort is put into reading the docs/resources/wiki rather than just getting people from the list to just do your (I'm guessing paid for) work. alan
Pete Ashdown wrote:
I also searched via Google site:lists.freeradius.org because Mailman's archive sucketh and found similar recriminations to RTFM and run "radiusd -X".
That text *also* said to POST THE OUTPUT TO THE LIST. It's understandable that you're not a RADIUS expert. That's what this list is for: to help people. But we can't help you if you don't follow instructions. We can't help you if you post messages like "something went wrong, how do I fix it?" We ASK for the debug output because we NEED IT TO HELP YOU.
I didn't see a freeradius-newbs list, so I assumed freeradius-users was welcoming like other users mailing lists. I'll unsubscribe now and go back to the trial and error. Sorry to have wasted your time.
You're welcome back any time. Just *follow instructions*. It shouldn't be hard. This list is for people who want to get help solving RADIUS problems. Getting that help often means *following instructions*. There should be no reason to get upset when asked to follow instructions. You asked for help... it should be obvious that the response should contain *some* kind of instruction. Alan DeKok.
Pete, On Sat, May 25, 2013 at 02:31:12PM -0600, Pete Ashdown wrote:
I'm trying to restrict a guest user from a single NAS-IP-Address via "users" and I can't get it to work.
Doesn't work:
test NAS-IP-Address == "127.0.0.1" Auth-Type := Accept
Try: test NAS-IP-Address == "127.0.0.1", Auth-Type := Accept The first line is matches against the incoming request packets, and setting things in the control list. The subsequent lines are entries for the reply packet. Auth-Type is a control item. This is documented in the users file - read it carefully and look at the examples, such as "deny access for a group of users". But for restricting users, I doubt you want "Accept"! :)
Also, how would I do this for a group of NAS IP addresses? Is it possible to assign them to a group in "clients.conf" that can be later checked against in "users"? Where is the documentation of what can be tested against in the "users" file?
Add entries in the huntgroups file: blockednaslist NAS-IP-Address == 127.0.0.1 blockednaslist NAS-IP-Address == 127.0.1.1 then use something like this in users: testuser Huntgroup-Name == "blockednaslist", Auth-Type := Reject Don't forget that NAS-IP-Address can be spoofed if you permit NASes not under your own control. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Matthew Newton -
Pete Ashdown