Using multiple auth methods, ports
Geoff Silver
geoff+freeradius at uslinux.net
Tue Feb 21 22:22:54 CET 2006
Hi Phil (et al),
In case others on the list are interested, I was able to get this working with
last nights CVS checkout by setting a hints entry of:
DEFAULT User-Name =~ "^(.*)$"
Hint = "Port-%{request:Packet-Dst-Port}"
And users entries of:
geoff Auth-Type := Accept, Huntgroup-Name == "office", Hint == "Port-1645"
geoff Auth-Type := Local, User-Password == "mypassword", Huntgroup-Name ==
"office", Hint == "Port-1812"
I went through the diff's between production 1.1.0 and CVS and ended up
creating the following patch, based on the CVS 2.0.0pre0 code. Are there any
developers on this list, and if so, would anyone be willing to add the
following patch into the next 1.1.x release (I hate to subscribe to the -devel
list just to ask if anyone will include this patch)?
--- src/main/xlat.c.orig 6 Feb 2006 20:52:20 -0000 1.1
+++ src/main/xlat.c 21 Feb 2006 21:17:56 -0000
@@ -196,6 +196,10 @@
* FIXME: Add SRC/DST IP address!
*/
if (packet) {
+ VALUE_PAIR localvp;
+
+ localvp.strvalue[0] = 0;
+
switch (da->attr) {
case PW_PACKET_TYPE:
{
@@ -210,12 +214,26 @@
return strlen(out);
}
break;
+
+ case PW_PACKET_SRC_PORT:
+ localvp.attribute = da->attr;
+ localvp.lvalue = packet->src_port;
+ break;
+
+ case PW_PACKET_DST_PORT:
+ localvp.attribute = da->attr;
+ localvp.lvalue = packet->dst_port;
+ break;
default:
+ return 0;
break;
}
- }
+ localvp.type = da->type;
+ return valuepair2str(out, outlen, &localvp,
+ da->type, func);
+ }
/*
* Not found, die.
*/
--- src/include/radius.h.orig 6 Feb 2006 20:52:20 -0000 1.1
+++ src/include/radius.h 21 Feb 2006 21:18:29 -0000
@@ -183,8 +183,9 @@
#define PW_REWRITE_RULE 1078
#define PW_SQL_GROUP 1079
#define PW_RESPONSE_PACKET_TYPE 1080
-#define PW_PACKET_DST_PORT 1081
#define PW_MS_CHAP_USE_NTLM_AUTH 1082
+#define PW_PACKET_SRC_PORT 1086
+#define PW_PACKET_DST_PORT 1087
/*
* Integer Translations
Phil Mayers wrote:
> I assume you mean Packet-Dst-Port, but yes that would be the way to do it.
>
> Looking at it, it appears this is in CVS head but not in my tarball of
> 1.1.0. doc/variables.txt in a CVS checkout lists Packet-Dst-Port as
> supported and it's in the xlat_packet function.
>
> What I can't figure out is how you might do this:
>
> DEFAULT %{request:Packet-Dst-Port}==1234, Autz-Type := "cert"
>
> ...i.e. have an expansion on the left hand side. I'm not sure you can,
> but the code is quite big and I've only scanned it.
>
> What you can do (in CVS head) is use the following in the hints file
> (which is actually quite appropriate):
>
> DEFAULT User-Name =~ "^(.*)$"
> Hint = "%{request:Packet-Dst-Port}"
>
> ...the have the "users" file read:
>
> DEFAULT Hint=="THEDESTPORT", Auth-Type := Accept
More information about the Freeradius-Users
mailing list