Questions from a totally ignorant n00b
Gene Mosley
freeradius at mosleyfamily.org
Thu Dec 21 21:24:44 CET 2006
Alan,
Could you perhaps give me a hint about how one would go about allowing any user from any system (_unless_ that system is listed for the specific purpose of not allowing anyone to authenticate from it) to authenticate?
----- Original Message ----
From: Alan DeKok <aland at deployingradius.com>
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Sent: Thursday, December 21, 2006 11:47:47 AM
Subject: Re: Questions from a totally ignorant n00b
Gene Mosley wrote:
> Users are authenticating from systems that they should not be
> authenticating from - we need to block authentication on a per system
> (IP address) basis, not a per user basis.
You can do this in FreeRADIUS. Put users into different groups, and
block the group from accessing particular systems.
> Users should be allowed to authenticate from any system that they are
> using _except_ a certain, specific list of IP addresses which would
> basically be banned/blocked from authenticating.
This can be done, too.
> Is this something that FreeRADIUS can do?
Yes.
> I just started reading about it - and if nothing else it looks like
> exec-program-wait might be used to test the IP address and return an
> authentication failure?
That will work, too, but will be less efficient.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061221/b10e34e3/attachment.html>
More information about the Freeradius-Users
mailing list