Verify that the user belongs to a specific ipv4 network
Hello! In additionto the password, Ineedto verifythat theuserbelongstoa specificipv4network. Idon'tuseanydatabases. 1. I'm tryingto dothisinthe usersfile: test Cleartext-Password := "password", NAS-IP-Address == 10.1.1.0/24 Cisco-AVPair = "shell:priv-lvl=1", Service-Type = Administrative-User Got error: /etc/freeradius/3.0/mods-config/files/authorize[227]: Parse error (check) for entry test: Invalid IPv4 mask length "/24". Only "/32" permitted for non-prefix types Failed reading /etc/freeradius/3.0/mods-config/files/authorize /etc/freeradius/3.0/mods-enabled/files[9]: Instantiation failed for module "files" 2. I'm tryingto dothisinthe usersfile: test Cleartext-Password := "password", NAS-IP-Address < 10.1.1.0/24 Cisco-AVPair = "shell:priv-lvl=1", Service-Type = Administrative-User Got error: /etc/freeradius/3.0/mods-config/files/authorize[227]: Parse error (check) for entry test: Invalid IPv4 mask length "/24". Only "/32" permitted for non-prefix types Failed reading /etc/freeradius/3.0/mods-config/files/authorize /etc/freeradius/3.0/mods-enabled/files[9]: Instantiation failed for module "files" 3. I'm tryingto dothisinthe usersfile: test Cleartext-Password := "password", NAS-IP-Address =~ /10\.1\.1\..+/ Cisco-AVPair = "shell:priv-lvl=1", Service-Type = Administrative-User Got error: (0) files: EXPAND /10\.1\.1\..+/ (0) files: --> /10\.1\.1\..+/ (0) [files] = noop (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> test (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [test] (from client net port 0) (0) Delaying response for 1.000000 seconds Is it possible to make such a check for belonging to an ipv4 network? How to do this correctly? This check is very important for me...
On Sep 4, 2025, at 2:23 AM, Dzmitry Shykuts <dshykuts@brest.beltelecom.by> wrote:
1. I'm tryingto dothisinthe usersfile:
test Cleartext-Password := "password", NAS-IP-Address == 10.1.1.0/24 Cisco-AVPair = "shell:priv-lvl=1", Service-Type = Administrative-User
Unfortunately, this isn't supported in v3. It is in v4, but... You can do the same thing in unlang: if (NAS-IP-Address < 10.1.1.0/24) { update control { ... } update reply { ... } } Alan DeKok.
04.09.2025 21:22, Alan DeKok via Freeradius-Users пишет:
On Sep 4, 2025, at 2:23 AM, Dzmitry Shykuts<dshykuts@brest.beltelecom.by> wrote:
1. I'm tryingto dothisinthe usersfile:
test Cleartext-Password := "password", NAS-IP-Address == 10.1.1.0/24 Cisco-AVPair = "shell:priv-lvl=1", Service-Type = Administrative-User Unfortunately, this isn't supported in v3. It is in v4, but...
You can do the same thing in unlang:
if (NAS-IP-Address < 10.1.1.0/24) { update control { ... }
update reply { ... } }
Alan DeKok. - List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html WhereshouldIspecifythiscondition?Rightinthe usersfile?
participants (2)
-
Alan DeKok -
Dzmitry Shykuts