how to allow login only from specified access point?
Norbert Grochal
norboro at celpol.pl
Sat Nov 18 13:54:32 CET 2006
I have freeradius serwer with PEAP auth. secrets of nasnames and user passwords are in mysql.
Is it possible to set freeradius to send Access-Accept only where user try to connect to specified access point? I try to check it by sql query modified by me.
sql: authorize_check_query = "SELECT r.id, r.UserName, r.Attribute, r.Value, r.op FROM radcheck r WHERE r.Username = '%{SQL-User-Name}' and ('%{NAS-IP-Address}' = 'aaaaaaaaaa')"
When sql gets the password from sql where is no desired value of NAS-IP-Address attribute, so I don't know how to check it by sql.
Example, this is ONE packet of Access-Request:
rad_recv: Access-Request packet from host 10.10.10.123:2048, id=247, length=261
User-Name = "Adam Nowak"
NAS-IP-Address = 10.10.10.123
(...)
rlm_sql (sql): sql_set_user escaped user --> 'Adam Nowak'
radius_xlat: 'SELECT r.id, r.UserName, r.Attribute, r.Value, r.op FROM radcheck r WHERE r.Username = 'Adam Nowak' and ('10.10.10.123' = 'aaaaaaaaaa') // YOU CAN SEE NAS-IP-Address here, but Adam Nowak is not the eap-peap login...
(...)
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Identity - wlxtbp - // THIS IS THE CORRECT LOGIN...
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled identity of wlxtbp
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to wlxtbp
(...)
rlm_sql (sql): sql_set_user escaped user --> 'wlxtbp'
radius_xlat: 'SELECT r.id, r.UserName, r.Attribute, r.Value, r.op FROM radcheck r WHERE r.Username = 'wlxtbp' and ('127.0.0.1' = 'aaaaaaaaaa' ) // YOU SEE 127.0.0.1 instead of desired NAS-IP-Address here, so I can't check here from which access point the user try to connect
This is the place, where freeradius gets password from mysql and if the password is ok we can see:
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Success
My question is as I have written:
Is it possible to set freeradius to send Access-Accept only where user try to connect to specified access point?
And how to do it ? :-).
Norboro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061118/58229bec/attachment.html>
More information about the Freeradius-Users
mailing list