Reject authentication attempts based on "cli" value?

John T. Guthrie guthrie at counterexample.org
Fri Mar 16 03:59:35 CET 2007


On Thu, 2007-03-15 at 11:23 -0500, markcapelle at pcmc.com wrote:
> It is a Cisco WLAN 4402.  For reference, here is a log entry from a user
> connecting from the Guest network:
> 
>    Thu Mar 15 07:10:52 2007 : Auth: Login OK: [guestuser] (from client
> PCMCWLANCTRLR1 port 0 cli 192.168.100.101)
> 
> And here is a log entry from someone connecting via 802.1x on another
> network:
> 
>    Thu Mar 15 07:26:36 2007 : Auth: Login OK: [DOMAIN\\guestuser] (from
> client PCMCWLANCTRLR1 port 1 cli 00-12-F0-19-6E-B3)
> 
> As you can see the only way I have to differentiate these two auth attempts
> is via the "cli" value.  192.168.100.x is the subnet range of my Guest
> network.  I want all auth attempts from 192.168.100.x to be rejected.
> 
> Hope someone can help me out with this.
> 
> Thanks.

I apologize if you've already done this, but have you looked at the
detail module in the radiusd.conf file.  I have sometimes found that
turning on the detail accounting files will provide clues when trying to
figure out differences between different requests.

You should find these in the modules section of the radiusd.conf file.
If you un-comment them, you should be able to get some more information 
from each request.  (The resultinig files should end up in some place
like /var/log/radius/radacct or something like that.)

-- 
John Guthrie
guthrie at counterexample.org



More information about the Freeradius-Users mailing list