Authenticate/Attributes based on NAS-IP-Address
Dustin Doris
freeradius at mail.doris.cc
Wed Jun 8 02:28:04 CEST 2005
On Tue, 7 Jun 2005, N White wrote:
> Well, thanks for the input. With MySQL, 1500 users is easier to
> maintain. Perhaps I should just run a second FreeRADIUS server for the
> second NAS. It means more equipment, but whatever it takes.
>
> -Nick
You don't need to do that, you can do it with SQL in one server. First,
work on reading the documentation and installing the server and setting up
mysql for authorization. Once you've got that down, then move on to the
reply values and groups if you want them.
Alan gave you a good start with the users file entries. Read man 5 users,
that will tell you about the users file. You'll take that info and
transfer it to sql.
It would look something like this.
users file only format
bob NAS-IP-Address == foo, Pool-Name := "foo"
bob NAS-IP-Address == bar
Framed-IP-Address := 1.2.3.4
SQL Format.
in the users file
DEFAULT NAS-IP-Address == foo, Pool-Name := "foo"
This says any user from that nas-ip will have Pool-Name set to foo. That
is what ippool will use to assign ips.
in radiusd.conf, in your ip_pool section be sure to include.
override = no
That makes it so a dynamic ip from ippool will not override one statically
assigned to the user as a reply value.
In sql in the radcheck table you put your users and their passwords. In
radreply you put the users and their static ip.
for example,
insert into radcheck (username,attribute,value,op) VALUES
('bob','User-Password','bobspassword','==');
insert into radreply (username,attribute,value,op) VALUES
('bob','Framed-IP-Address','1.1.1.1',':='),
('bob','Framed-IP-Netmask','255.255.255.0',':=');
That should give you a good start. Get it setup and if you run into
problems post radiusd -X to the list and describe what you are trying to
do.
You can add groups into if you want but right now you probably won't need
it.
Hope that is helpful.
Dusty Doris
More information about the Freeradius-Users
mailing list