Is there a simple way to restrict a user in the 'users' file to access only a specific ip addr/device?

Peter Nixon listuser at peternixon.net
Wed Jan 17 10:42:02 CET 2007


Ahh. yes. Ignore my reply. I neglected to read the history and assumed thet 
you wanted to restrict which network devices certain groups of users should 
be able to access AFTER they are connected.

-Peter

On Tue 16 Jan 2007 12:00, Jan Mulders wrote:
> Hoping to be more helpful here, I know how to implement this functionality
> in freeradius, but only when using a mysql database backend (which is a
> good idea for most setups using more than about 20 users).
>
> I am assuming you want to control user logins to multiple NASes and this
> is what you meant by "user 'x' can only login to IP addr 'y' and /or 'z'".
> If you need to just filter traffic based on real network devices, for
> example where Y and Z are IP addresses on your network, you can safely
> ignore my first radgroupcheck entry below that restricts NAS choice.
> If you get a standard mysql setup working, all you need to do is add the
> user's password to radcheck (for table names "username,attribute,op,value"
> you should have "bobengineer,User-Password,==,nortel"), and add the user
> to a group in radgroup (username, group = bobengineer,engineers). then you
> can set group-specific policies by putting entries in radgroupcheck and
> radgroupreply, such as...:
>
> radgroupcheck: [groupname,attribute,op,value]
> engineers,NAS-IP-Address,==,11.22.33.44    (all engineers connecting must
> do so from NAS with IP addrss 11.22.33.44)
> engineers, Pool-Name,==,engineers_pool   (all engineers connecting will be
> assigned an IP from the 'engineers' IP pool, which means you can firewall
> them off using IPTables (or the Shorewall frontend to iptables, which I
> recommend using) or something similar)
>
> Basically this provides you with both tools you will need - the ability to
> restrict where users can log into, and the ability to restrict what IP
> address users recieve. You'll need to set up rlm_ippool to automatically
> assign IPs, and you'll want to make sure your NAS devices send accounting
> packets (accounting start/stop are important - also if accounting stop's
> aren't sent, you'll run out of IP addresses).
>
> Hope this is a little more helpful than the usually flippent replies on
> the mailing list, I was in the same boat before too :-)
>
> thanks,
>
> Jan
>
> On 16/01/07, Peter Nixon <listuser at peternixon.net> wrote:
> > Yep. Its called a firewall...
> >
> > -Peter
> >
> > On Tue 02 Jan 2007 20:39, Ellis, Scott 1 (N-Comptel Inc.) wrote:
> > >  I am using PAM for auth-type in my users file. Is there a simple way
> > > to say that user 'x' can only login to IP addr 'y' and /or 'z'? I have
> > > groups of engrs, admins, and operators and need to discriminate who
> > > can access which device........
> > >
> > > Scott
> > >
> > > -----Original Message-----
> > > From: Ellis, Scott 1 (N-Comptel Inc.)
> > > Sent: Tuesday, January 02, 2007 11:40 AM
> > > To: 'FreeRadius users mailing list'
> > > Cc: Ellis, Scott 1 (N-Comptel Inc.)
> > > Subject: RE: How to restrict users /PAM to specific NAS devices??
> > >
> > > I have looked it over, but I am still not clear. I was thinking that I
> > > could use huntgroups to map devices to specific groups, but then I am
> > > not clear on how to restrict users ('users' file) to those groups. I
> > > know this has probably been done most everywhere in one form or
> > > another. Any examples that show the actual entries in the approp.
> > > files?
> > >
> > > Thanks,
> > > Scott
> > >
> > > -----Original Message-----
> > > From:
> > > freeradius-users-bounces+scott.1.ellis=lmco.com at lists.freeradius.org
> > > [mailto:freeradius-users-bounces+scott.1.ellis=lmco.com at lists.freeradi
> > >us .org] On Behalf Of Alan DeKok
> > > Sent: Tuesday, January 02, 2007 9:43 AM
> > > To: FreeRadius users mailing list
> > > Subject: Re: How to restrict users /PAM to specific NAS devices??
> > >
> > > Ellis, Scott 1 (N-Comptel Inc.) wrote:
> > > > I am using PAM for Auth-Type.
> > > > I want to be able to either 1) restrict the devices the user has
> > > > access to (admins,operators, etc) by username and/or 2) preferably
> > > > carve into groups my network gear/NAS devices and then assign users
> > > > to
> > >
> > > groups.
> > >
> > >  See "man rlm_passwd".  It's documentation describes how to create
> > > groups like this.
> > >
> > >   Alan DeKok.
> > > --
> > >   http://deployingradius.com       - The web site of the book
> > >   http://deployingradius.com/blog/ - The blog
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> >
> > --
> >
> > Peter Nixon
> > http://www.peternixon.net/
> > PGP Key: http://www.peternixon.net/public.asc
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070117/9b3b165d/attachment.pgp>


More information about the Freeradius-Users mailing list