Hi, running successfull freeradius in 1.x version, i'm looking for some free radius documentation to the NAS-Identifier. Couldn't find anything in the doc or wiki. Anyone who can point me to some docs? I do have now an additional NAS which sends an different NAS-Identifier, but I do currently not know how to take advantage of them. Thanks
Stefan Eck (gmail) wrote:
running successfull freeradius in 1.x version, i'm looking for some free radius documentation to the NAS-Identifier. Couldn't find anything in the doc or wiki.
http://freeradius.org/rfc/attributes.html
Anyone who can point me to some docs? I do have now an additional NAS which sends an different NAS-Identifier, but I do currently not know how to take advantage of them.
It's just an attribute. What do you want to do with it? Alan DeKok.
2008/10/10 Alan DeKok <aland@deployingradius.com>
Stefan Eck (gmail) wrote:
running successfull freeradius in 1.x version, i'm looking for some free radius documentation to the NAS-Identifier. Couldn't find anything in the doc or wiki.
http://freeradius.org/rfc/attributes.html
Anyone who can point me to some docs? I do have now an additional NAS which sends an different NAS-Identifier, but I do currently not know how to take advantage of them.
It's just an attribute. What do you want to do with it?
Well, the new NAS device sends 5 different NAS-Identifier. eg WebAdmin, SSLVPN or HTTP. But only one RADIUS can be configured. I'm just thinking about that users can be authenticated via RADIUS server1 and admin(webadmins) can be authenticated via RADIUS server2. Or similar like that. Currently, I don't have any clue to take advantage of the NAS-Identifier. Where is this attribute configured on the RADIUS. Other devices send the NAS-IP, but this is only relevant for the shared secret or the accouting. Cheers.
Stefan Eck (gmail) wrote:
Well, the new NAS device sends 5 different NAS-Identifier. eg WebAdmin, SSLVPN or HTTP. But only one RADIUS can be configured.
One one RADIUS can be configured... where?
I'm just thinking about that users can be authenticated via RADIUS server1 and admin(webadmins) can be authenticated via RADIUS server2. Or similar like that.
Why?
Currently, I don't have any clue to take advantage of the NAS-Identifier. Where is this attribute configured on the RADIUS. Other devices send the NAS-IP, but this is only relevant for the shared secret or the accouting.
No. The server does NOT use the NAS-IP-Address to look up the shared secret. If you want to apply policies based on attributes, see "man unlang". You can write complex policies using a very simple language. Alan DeKok.
You can use the called-station-id variable to say yay or nay for authentication. For example, we have a Staff network, that requires different usernames/passwords from the regular wifi SSIDS. We use regex to check for regular users trying to get onto the staff ssid. On 10/13/08, Alan DeKok <aland@deployingradius.com> wrote:
Stefan Eck (gmail) wrote:
Well, the new NAS device sends 5 different NAS-Identifier. eg WebAdmin, SSLVPN or HTTP. But only one RADIUS can be configured.
One one RADIUS can be configured... where?
I'm just thinking about that users can be authenticated via RADIUS server1 and admin(webadmins) can be authenticated via RADIUS server2. Or similar like that.
Why?
Currently, I don't have any clue to take advantage of the NAS-Identifier. Where is this attribute configured on the RADIUS. Other devices send the NAS-IP, but this is only relevant for the shared secret or the accouting.
No. The server does NOT use the NAS-IP-Address to look up the shared secret.
If you want to apply policies based on attributes, see "man unlang". You can write complex policies using a very simple language.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Random quote of the week/month/whenever i get to updating it: "Opportunity knocked. My doorman threw him out." - Adrienne Gusoff "At school you don't get parole, good behavior only brings a longer sentence." - The History Boys
participants (3)
-
Alan DeKok -
Paul Bartell -
Stefan Eck (gmail)