Restrict to initial NAS used to logon

Tuc at T-B-O-H.NET ml at t-b-o-h.net
Fri Apr 11 00:45:15 CEST 2008 

> 
> Tuc at T-B-O-H.NET wrote:
> > 	Looking to restrict a user to only be able to log in
> > and re-log in to the initial NAS they first ever logged onto.
> > (Hotspot)  Looking at the radacct file where it looks like
> > the check-items normally go against, I'm not seeing anything I
> > can use as an identifier. The nasipaddress is always 0.0.0.0.
> > Maybe calledstationid, except if we swap equipment out during
> > the lifetime of a users id it won't match. 
> > 
> > 	Is anyone doing anything like this already?
> 
>   They usually use equipment that sends a NAS identifier.
>
	Hrm.... I just originally went on the assumption that the sending
side was partially braindead, and wasn't sending it. Your comment
made me dump a session on 1812 and 1813...
1812:
Radius Protocol
    Code: Access-Request (1)
    Packet identifier: 0x0 (0)
    Length: 216
    Authenticator: A9A4B05B3C01784A8DF58849DB987135
    [The response to this request is in frame 2]
    Attribute Value Pairs
        AVP: l=5  t=User-Name(1): tuc
        AVP: l=18  t=CHAP-Challenge(60): 894209E703975A194529D13926790197
        AVP: l=19  t=CHAP-Password(3): 0A6E0AEA789A9A0AF0E2A7F15B04E6A289
        AVP: l=6  t=NAS-IP-Address(4): 0.0.0.0
        AVP: l=6  t=Service-Type(6): Login-User(1)
        AVP: l=6  t=Framed-IP-Address(8): 192.168.182.4
        AVP: l=19  t=Calling-Station-Id(31): 00-10-A4-10-8D-A6
        AVP: l=19  t=Called-Station-Id(30): 00-16-01-91-E9-46
        AVP: l=10  t=NAS-Identifier(32): TBOH2173
        AVP: l=18  t=Acct-Session-Id(44): 47fe006e00000000
        AVP: l=6  t=NAS-Port-Type(61): Wireless-802.11(19)
        AVP: l=6  t=NAS-Port(5): 0
        AVP: l=18  t=Message-Authenticator(80): F0AE0A9EE7DAC32F9AA6089A5A9C3A70
        AVP: l=40  t=Vendor-Specific(26) v=WISPr(14122)

1813:

Radius Protocol
    Code: Accounting-Request (4)
    Packet identifier: 0x6 (6)
    Length: 142
    Authenticator: 48DCF71BE50EC2E9ECC17825FB6D2417
    [The response to this request is in frame 2]
    Attribute Value Pairs
        AVP: l=6  t=Acct-Status-Type(40): Start(1)
        AVP: l=5  t=User-Name(1): tuc
        AVP: l=11  t=Class(25): 303730333435363738
        AVP: l=19  t=Calling-Station-Id(31): 00-10-A4-10-8D-A6
        AVP: l=19  t=Called-Station-Id(30): 00-16-01-91-E9-46
        AVP: l=6  t=NAS-Port-Type(61): Wireless-802.11(19)
        AVP: l=6  t=NAS-Port(5): 0
        AVP: l=10  t=NAS-Port-Id(87): 00000000
        AVP: l=6  t=NAS-IP-Address(4): 0.0.0.0
        AVP: l=10  t=NAS-Identifier(32): TBOH2173
        AVP: l=6  t=Framed-IP-Address(8): 192.168.182.4
        AVP: l=18  t=Acct-Session-Id(44): 47fe006e00000000


	So it looks like its sending it, just not making it into
the radacct files. :-/ So where to start looking for that?
>
>   Or, use the "Packet-Src-IP-Address" attribute.
> 
	Thats gonna take a bit of headscratching to figure out
about. :) But thanks for the lead.

			Tuc

More information about the Freeradius-Users mailing list