Authenticate/Attributes based on NAS-IP-Address

Graeme Hinchliffe graeme.hinchliffe at zeninternet.co.uk
Thu Jun 9 11:33:03 CEST 2005 

Hiya,
	Use Client-IP rather than NAS-IP as NAS-IP can be spoofed.

Graeme

On Wed, 2005-06-08 at 15:30 -0700, N White wrote:
> Graeme Hinchliffe wrote:
> 
> >Hiya
> >	perhaps you could do it using huntgroups.
> >
> >	Put the static attributes for the user in the radreply table, then
> >assign each nas to a huntgroup, so say
> >
> >NAS-dynamic
> >
> >	Then in radgroupreply you put the attributes for for dynamic IP
> >assignment on the NAS-dynamic, and ensure there is an attribute to
> >override the static settings.
> >
> >not 100% about the overriding of the static IP settings, but would think
> >it possible using the assignment ( := ) operator and possibly a null
> >value?
> >
> >Hope thats of some help.
> >  
> >
> Do I need to setup a "HuntGroups" field like Mike suggested? Ok, so in 
> huntgroups file:
> 
> Wireless         NAS-IP-Address = (the IP of the Wireless NAS)
>                       Autz-Type = SQL1 (modify radiusd.conf to include 
> this, and sql.conf like in Mike's post?)
> NAS-dynamic      NAS-IP-Address = (ip of dialup NAS)
>                             NAS-IP-Address = (ip of isdn NAS)
> 
> in radgroupreply:
> 
> +-------------+--------------------+----+---------------------+-----------+
> |   GroupName | Attribute          | op | Value               | HuntGroup |
> +-------------+--------------------+----+---------------------+-----------+
> | Wireless   | Service-Type       | =  | Framed-User         | Wireless   |
> | Wireless   | Framed-Protocol    | =  | PPP                 | Wireless   |
> | Wireless   | Framed-IP-Address  | =  | 255.255.255.254     | Wireless   |
> | Wireless   | Framed-IP-Netmask  | =  | 255.255.255.255     | Wireless   |
> | Wireless   | Framed-Compression | =  | Van-Jacobson-TCP-IP | Wireless   |
> +-------------+--------------------+----+---------------------+-----------+
> All Other users would go into the Dial-Up Group, which would have a HuntGroup of NAS-dynamic?
> 
> in radreply:
> 
> +-----------+-------------------+-----+---------------+
> | UserName  | Attribute         | op  | Value         |
> +-----------+-------------------+-----+---------------+
> | test123   | Framed-IP-Address | :=  | 192.168.2.10  |
> +-----------+-------------------+-----+---------------+
> 
> Now in radgroupcheck do I need a NAS-IP-Address check for each group(or 
> the wireless group?)?
> Thanks for everyone's help.
> 
> -Nick
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- 
-----
Graeme Hinchliffe (BSc)
Core Systems Designer
Zen Internet (http://www.zen.co.uk/)

Direct: 0845 058 9074
Main  : 0845 058 9000
Fax   : 0845 058 9005
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20050609/d35ce277/attachment.pgp>

More information about the Freeradius-Users mailing list