Is there a simple way to restrict a user in the 'users' file to access only a specific ip addr/device?

Jan Mulders lastchancehotel at gmail.com
Tue Jan 16 11:00:14 CET 2007


Hoping to be more helpful here, I know how to implement this functionality
in freeradius, but only when using a mysql database backend (which is a good
idea for most setups using more than about 20 users).

I am assuming you want to control user logins to multiple NASes and this is
what you meant by "user 'x' can only login to IP addr 'y' and /or 'z'". If
you need to just filter traffic based on real network devices, for example
where Y and Z are IP addresses on your network, you can safely ignore my
first radgroupcheck entry below that restricts NAS choice.
If you get a standard mysql setup working, all you need to do is add the
user's password to radcheck (for table names "username,attribute,op,value"
you should have "bobengineer,User-Password,==,nortel"), and add the user to
a group in radgroup (username, group = bobengineer,engineers). then you can
set group-specific policies by putting entries in radgroupcheck and
radgroupreply, such as...:

radgroupcheck: [groupname,attribute,op,value]
engineers,NAS-IP-Address,==,11.22.33.44    (all engineers connecting must do
so from NAS with IP addrss 11.22.33.44)
engineers, Pool-Name,==,engineers_pool   (all engineers connecting will be
assigned an IP from the 'engineers' IP pool, which means you can firewall
them off using IPTables (or the Shorewall frontend to iptables, which I
recommend using) or something similar)

Basically this provides you with both tools you will need - the ability to
restrict where users can log into, and the ability to restrict what IP
address users recieve. You'll need to set up rlm_ippool to automatically
assign IPs, and you'll want to make sure your NAS devices send accounting
packets (accounting start/stop are important - also if accounting stop's
aren't sent, you'll run out of IP addresses).

Hope this is a little more helpful than the usually flippent replies on the
mailing list, I was in the same boat before too :-)

thanks,

Jan


On 16/01/07, Peter Nixon <listuser at peternixon.net> wrote:
>
> Yep. Its called a firewall...
>
> -Peter
>
> On Tue 02 Jan 2007 20:39, Ellis, Scott 1 (N-Comptel Inc.) wrote:
> >  I am using PAM for auth-type in my users file. Is there a simple way to
> > say that user 'x' can only login to IP addr 'y' and /or 'z'? I have
> > groups of engrs, admins, and operators and need to discriminate who can
> > access which device........
> >
> > Scott
> >
> > -----Original Message-----
> > From: Ellis, Scott 1 (N-Comptel Inc.)
> > Sent: Tuesday, January 02, 2007 11:40 AM
> > To: 'FreeRadius users mailing list'
> > Cc: Ellis, Scott 1 (N-Comptel Inc.)
> > Subject: RE: How to restrict users /PAM to specific NAS devices??
> >
> > I have looked it over, but I am still not clear. I was thinking that I
> > could use huntgroups to map devices to specific groups, but then I am
> > not clear on how to restrict users ('users' file) to those groups. I
> > know this has probably been done most everywhere in one form or another.
> > Any examples that show the actual entries in the approp. files?
> >
> > Thanks,
> > Scott
> >
> > -----Original Message-----
> > From:
> > freeradius-users-bounces+scott.1.ellis=lmco.com at lists.freeradius.org
> > [mailto:freeradius-users-bounces+scott.1.ellis=lmco.com at lists.freeradius
> > .org] On Behalf Of Alan DeKok
> > Sent: Tuesday, January 02, 2007 9:43 AM
> > To: FreeRadius users mailing list
> > Subject: Re: How to restrict users /PAM to specific NAS devices??
> >
> > Ellis, Scott 1 (N-Comptel Inc.) wrote:
> > > I am using PAM for Auth-Type.
> > > I want to be able to either 1) restrict the devices the user has
> > > access to (admins,operators, etc) by username and/or 2) preferably
> > > carve into groups my network gear/NAS devices and then assign users to
> >
> > groups.
> >
> >  See "man rlm_passwd".  It's documentation describes how to create
> > groups like this.
> >
> >   Alan DeKok.
> > --
> >   http://deployingradius.com       - The web site of the book
> >   http://deployingradius.com/blog/ - The blog
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> --
>
> Peter Nixon
> http://www.peternixon.net/
> PGP Key: http://www.peternixon.net/public.asc
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070116/619f9c15/attachment.html>


More information about the Freeradius-Users mailing list