Hi All I'm struggling with getting an IP address to eb accepted as a username in the clients file and suspect it's somehow being filtered but I can't find where I've create a user like: Test Cleartext-Password := "test" And using radtest can get an access-accept but when I try: 1.1.1.1 Cleartext-Password := "test" I get an access-reject and it has a noop against the files in the debug I have tried in quotes as well but no luck Can anyone point me in the right direction as the configs are quite vanilla/plain Darren
Darren Ward (darrward) wrote:
I’m struggling with getting an IP address to eb accepted as a username in the clients file and suspect it’s somehow being filtered but I can’t find where
That question is very confused. You don't mean the "clients" file. You mean the "users" file. Computers are particular about that kind of thing. And you can't get IP's accepted as a User-Name. They're a different attribute.
I’ve create a user like:
Test Cleartext-Password := “test”
And using radtest can get an access-accept
Because that's how it works.
but when I try:
1.1.1.1 Cleartext-Password := “test”
I get an access-reject and it has a noop against the files in the debug
Because the "users" file is keyed by User-Name. Read the comments at the top of the "users" file. This is documented.
I have tried in quotes as well but no luck
Have you tried reading raddb/modules/files? This is documented. Alan DeKok.
Hi Alan Actually in cases where we do authorisation based on IP address such as in ISG we do need the IP or MAC as the username but you are correct I said clients when I meant users file e.g. a WiFi user who gets an IP from DHCP then attempt to go through to the Internet - we have no auth details yet but have a need to control the session It also worked out that my problem was that the users file was in two places on my system and I was editing the wrong one! So easily fixed The entry in the users file would be: 192.168.10.10 Cleartext-Password := "cisco" xxxxx attributes list; Here's a snippet of ISG config: ! class type control always event session-start 20 service-policy type service name WIFI_OPENGARDEN_SERVICE 40 service-policy type service name WIFI_L4REDIRECT_SERVICE 60 authorize aaa list IP_AUTHOR_LIST password cisco identifier source-ip-address ! What this does is when a new subscriber appears on the system it contacts the AAA servers in the list IP_AUTHOR_LIST and authorises using the IP address on the incoming session with a password of cisco - all before the user has to authenticate to say a web portal or accept some T&C's This is for IPoE or IP sessions rather than PPP/PPPoE etc which has built in AAA Of course once they login via a web-portal we can change the services activated by sending a CoA to the gateway Darren -----Original Message----- From: freeradius-users-bounces+darrward=cisco.com@lists.freeradius.org [mailto:freeradius-users-bounces+darrward=cisco.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, 7 February 2014 5:59 AM To: FreeRadius users mailing list Subject: Re: IP Address as User name Darren Ward (darrward) wrote:
I’m struggling with getting an IP address to eb accepted as a username in the clients file and suspect it’s somehow being filtered but I can’t find where
That question is very confused. You don't mean the "clients" file. You mean the "users" file. Computers are particular about that kind of thing. And you can't get IP's accepted as a User-Name. They're a different attribute.
I’ve create a user like:
Test Cleartext-Password := “test”
And using radtest can get an access-accept
Because that's how it works.
but when I try:
1.1.1.1 Cleartext-Password := “test”
I get an access-reject and it has a noop against the files in the debug
Because the "users" file is keyed by User-Name. Read the comments at the top of the "users" file. This is documented.
I have tried in quotes as well but no luck
Have you tried reading raddb/modules/files? This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 6 Feb 2014, at 22:28, Darren Ward (darrward) <darrward@cisco.com> wrote:
Hi Alan
Actually in cases where we do authorisation based on IP address such as in ISG we do need the IP or MAC as the username but you are correct I said clients when I meant users file
e.g. a WiFi user who gets an IP from DHCP then attempt to go through to the Internet - we have no auth details yet but have a need to control the session
It also worked out that my problem was that the users file was in two places on my system and I was editing the wrong one! So easily fixed
The entry in the users file would be:
192.168.10.10 Cleartext-Password := "cisco" xxxxx attributes list;
Assuming you've set the key config item correctly it should work. Please provide debug output. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
participants (3)
-
Alan DeKok -
Arran Cudbard-Bell -
Darren Ward (darrward)