radcheck & NAS-identifier

YvesDM ydmlog at gmail.com
Thu Oct 18 09:14:49 CEST 2007


FR + mysql auth&acct.
Sometimes I need to restrict users or groups to acces a certain NAS.
I use the nas-identifier attribute to recognize the nas
To accomplish this I just add an entry to radcheck or radgroupcheck like

NAS-identifier !=  nas-name

This works fine but, sometimes I use radtest directly on the server to test
accounts if someone claims he/she is unable to login.
Now for every user/group I've set the above entry in the database, radcheck
on the server always returns an acces-reject for some reason.
Though, users can login the nas's they are allowed to and get rejected on
the certain nas I've specified, so the setup itself is working.

But I've kind of lost my "account testing utitlity" :-)
I don't understand why radcheck fails on these accounts. I understand
radcheck doesn't send any nas-identifier, but I used operator ' ! = '
and not ' ==' so shouldn't the radius accept radtest requests on localhost?
I 'm sure there is a good explanation why radtest returns an Acces-reject,
but I'd like to know  why and, if possible,  if there is a
solution/work-around for this.

Many tnx,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20071018/72af645d/attachment.html>

More information about the Freeradius-Users mailing list