Questions from a totally ignorant n00b

Gene Mosley freeradius at mosleyfamily.org
Thu Dec 21 22:56:44 CET 2006


Alan,
    Thank you very much for the information.

    What I am looking for is to allow a user ("bob") to authenticate from any system he uses UNLESS that system is blocked from authenticating.

    I mean "bob" could authenticate from "server1" but not from "server2" - restricting it (somehow) by the IP address of the source - not by the user account.

    Nobody could authenticate from "server2" - anyone could authenticate from "server1" (with valid credentials).

    It seems that AIX RADIUS cannot do this - can FreeRADIUS?

    Someone else suggested using IPTables to not allow "server2" to talk to the RADIUS server - but I thought that the communication was from the firewall to the RADIUS server, not from the user system (although I will be looking into this).

    Anyway - to recap/summarize:

    Can FreeRADIUS be configured to allow/disallow authentication based on the source IP address that the user is coming from and NOT the user account itself (allowing "bob" to authenticate from "server1" which is not 'banned', but not allowing "bob" to authenticate from "server2" which is 'banned')?
    And, if so - how?



----- Original Message ----
From: Alan DeKok <aland at deployingradius.com>
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Sent: Thursday, December 21, 2006 12:48:50 PM
Subject: Re: Questions from a totally ignorant n00b

Gene Mosley wrote:
> Alan,
>     Could you perhaps give me a hint about how one would go about
> allowing any user from any system (_unless_ that system is listed for
> the specific purpose of not allowing anyone to authenticate from it) to
> authenticate?

  You've phrased the problem in a very complicated way.

  By default, any user is allowed to authenticate from any NAS.  You
don't have to do anything to enable this behavior.

  If you want NO ONE to authenticate from a particular NAS, then don't
list the NAS IP address in clients.conf.

  If you want only SOME people to authenticate from a particular NAS,
see the FAQ.

http://wiki.freeradius.org/index.php/FAQ#How_do_I_deny_access_to_a_specific_user.2C_or_group_of_users.3F

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061221/d774d476/attachment.html>


More information about the Freeradius-Users mailing list