Using multiple auth methods, ports

Phil Mayers p.mayers at imperial.ac.uk
Sat Feb 18 19:16:42 CET 2006


Geoff Silver wrote:
> I've got (what I believe is) an interesting engineering problem to 
> solve. I'm

Hmm - you're right, interesting

> options in the NAS to either restrict the NAS-Port that gets used (ie. cert
> auth would use ports 1-1000 and regular auth would use 1001-2000), nor is
> there a way to *apply* a realm to a request (only to strip the realm from
> the request, which doesn't help me).  The only thing the NAS can do that is
> "helpful" is send cert auth requests to a different UDP port than regular
> auth requests.

"Helpful" in quotes indeed!

> a Packet-Src-Port attribute in the freeradius.internal dictionary, but I 

I assume you mean Packet-Dst-Port, but yes that would be the way to do it.

Looking at it, it appears this is in CVS head but not in my tarball of 
1.1.0. doc/variables.txt in a CVS checkout lists Packet-Dst-Port as 
supported and it's in the xlat_packet function.

What I can't figure out is how you might do this:

DEFAULT %{request:Packet-Dst-Port}==1234, Autz-Type := "cert"

...i.e. have an expansion on the left hand side. I'm not sure you can, 
but the code is quite big and I've only scanned it.

What you can do (in CVS head) is use the following in the hints file 
(which is actually quite appropriate):

DEFAULT User-Name =~ "^(.*)$"
         Hint = "%{request:Packet-Dst-Port}"

...the have the "users" file read:

DEFAULT Hint=="THEDESTPORT", Auth-Type := Accept


...and of course, add a 2nd listen section to the "radiusd.conf":

listen {
   ipaddr = *
   port = THEDESTPORT
   type = auth
}

You can get more complex if you need to using Autz-Type based on the 
hint, or whatever.

Hope that helps.



More information about the Freeradius-Users mailing list