how to allow login only from specified access point?

Norbert Grochal norboro at celpol.pl
Sat Nov 18 13:54:32 CET 2006


I have freeradius serwer with PEAP auth. secrets of nasnames and user passwords are in mysql.

Is it possible to set freeradius to send Access-Accept only where user try to connect to specified access point? I try to check it by sql query modified by me.

 sql: authorize_check_query = "SELECT r.id, r.UserName, r.Attribute, r.Value, r.op           FROM radcheck r           WHERE r.Username = '%{SQL-User-Name}'           and ('%{NAS-IP-Address}' = 'aaaaaaaaaa')"

When sql gets the password from sql where is no desired value of NAS-IP-Address attribute, so I don't know how to check it by sql.

Example, this is ONE packet of Access-Request:

rad_recv: Access-Request packet from host 10.10.10.123:2048, id=247, length=261
        User-Name = "Adam Nowak"
        NAS-IP-Address = 10.10.10.123
(...)
rlm_sql (sql): sql_set_user escaped user --> 'Adam Nowak'
radius_xlat:  'SELECT r.id, r.UserName, r.Attribute, r.Value, r.op           FROM radcheck r           WHERE r.Username = 'Adam Nowak'           and ('10.10.10.123' = 'aaaaaaaaaa') // YOU CAN SEE NAS-IP-Address here, but Adam Nowak is not the eap-peap login...
(...)
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Identity - wlxtbp - // THIS IS THE CORRECT LOGIN...
  rlm_eap_peap: Tunneled data is valid.
  PEAP: Got tunneled identity of wlxtbp
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Setting User-Name to wlxtbp
(...)
rlm_sql (sql): sql_set_user escaped user --> 'wlxtbp'
radius_xlat:  'SELECT r.id, r.UserName, r.Attribute, r.Value, r.op           FROM radcheck r           WHERE r.Username = 'wlxtbp'           and ('127.0.0.1' = 'aaaaaaaaaa' ) // YOU SEE 127.0.0.1 instead of desired NAS-IP-Address here, so I can't check here from which access point the user try to connect

This is the place, where freeradius gets password from mysql and if the password is ok we can see:

  rlm_eap_peap: Received EAP-TLV response.
  rlm_eap_peap: Tunneled data is valid.
  rlm_eap_peap: Success

My question is as I have written: 
Is it possible to set freeradius to send Access-Accept only where user try to connect to specified access point?
And how to do it ? :-).

Norboro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061118/58229bec/attachment.html>


More information about the Freeradius-Users mailing list