Different Authentication for several devices (severalNas-Ip-Address)

nicolaskarp at free.fr nicolaskarp at free.fr
Mon Jul 23 17:30:00 CEST 2007


Called-Station-Id isn't equal to Nas-Ip-Address, it equal to the PC where I
initiate telnet Connection.

It's not equal to my Nas-Ip :(

So, i would change the called-station-id to Nas-Ip-Adress and Nas-Ip-Address to
proxy address.

Any idea ?


Selon tnt at kalik.co.yu:

> OK. If you devices put their IP addresses in Called-Station-Id field
> there is no need to do rewrites. You can use regexp operators to
> controll access as Called-Station-Id attribute is a string.
>
> NAS1   NAS-IP-Address == proxyIP, Called-Station-Id =~ "^192.168.48."
>            Dev group(s) in reply
>
> NAS2   NAS-IP-Address == proxyIP, Called-Station-Id =~ "^192.168.49."
>            Prod group(s) in reply
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> You can leave this out proxy IP check if all traffic comes over the
> proxy. You might need to escape periods in regexp.
>
> Dana 23/7/2007, "nicolaskarp at free.fr" <nicolaskarp at free.fr> pi¹e:
>
> >Re-Hello ;-)
> >
> >I search how i can do this but i don't find...
> >
> >I want to do this :
> >
> >If NAS-IP-Address == 192.168.48.0/24 --> Rewrite Calling-station-id to "Dev"
> >else
> >  If NAS-IP-Address == 192.168.48.0/24 --> Rewrite Calling-station-id to
> "Prod"
> >  else
> >    Do nothing.
> >  fi
> >fi
> >
> >I don't know how check the NAS-IP-ADDRESS attribute and rewrite an other
> >attribute (Calling-Station-ID)..
> >
> >Thank you for your help !!
> >
> >NicolaS.
> >
> >Selon nicolaskarp at free.fr:
> >
> >> Hello,
> >>
> >> Thank you for your help but I don't understand how you can make it.
> >>
> >> Here my configuration that I try:
> >>
> >> #Replae The Nas-Ip6address by Proxy-IP
> >> attr_rewrite overwrite_nasip {
> >>         attribute = "NAS-IP-Address"
> >>         searchfor = ".*"
> >>         packet    = packet
> >>         replacewith = "10.28.65.130"
> >>         max_matches = 1
> >> }
> >>
> >> # Dev Eqpt : 192.168.48.0/24
> >> attr_rewrite dev_equipment {
> >>         attribute = "Calling-Station-Id"
> >>         searchfor = ".*"
> >>         packet    = packet
> >>         replacewith = "Dev"  --> Replace String Dev for all Eqpts but not
> for
> >> 192.168.48.0/24!!
> >>         max_matches = 1
> >> }
> >>
> >> preproxy {
> >>   files
> >>   overwrite_nasip
> >>   dev_equipment
> >> }
> >>
> >> Here what I want :
> >>
> >> 1.
> >>
> >> If [ NAS-IP-Address =~ 192.168.48.* ]
> >>   Calling-Station-Id = Dev
> >> else
> >>    if [ NAS-IP-Address =~ 192.168.49.* ]
> >>        Calling-station-id = Prod
> >>    else
> >>        Calling-station-id = Any
> >>    fi
> >> fi
> >>
> >> 2.
> >> the proxy forwards the access-request to the radius server
> >>
> >> 3.
> >> The radius server receives the acces-request
> >>    If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id == Dev ]
> >>      instance_openldap-Ldap-Group == CiscoDev
> >>    else
> >>       If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id = Prod ]
> >>          instance_openldap-Ldap-Group == CiscoProd
> >>       else
> >>          instance_openldap-Ldap-Group == CiscoOthers
> >>       fi
> >>    fi
> >>
> >> Thank you for your assistance
> >>
> >> Nicolas.
> >>
> >>
> >>
> >>
> >>
> >>
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> >>
> >
> >
> >-
> >List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
> >
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>





More information about the Freeradius-Users mailing list