Restricting dialup users to certain client definitions only

Todd R. tjrlist at lightwavetech.com
Sat Dec 20 02:29:22 CET 2008


Just a clarification on my earlier response. I mentioned that I put the rule
in radcheck when in fact I was putting it in radgroupcheck.

Thing is, when I put it in radcheck it works. When I put the same rule in
radgroupcheck, it fails.

Example:

radcheck Table: (This works and properly rejects the auth attempt if the
client IP is not 5.6.7.21)
ID: xxx
Username: joeuser
Attribute: Client-IP-Address
OP: ==
Value: 5.6.7.21

radgroupcheck Table: (Does Not Work)
ID: xxx
GroupName: dialusers-t
Attribute: Client-IP-Address
OP: ==
Value: 5.6.7.21


Of course I also have joeuser assigned to the dialusers-t group in the
radusergroup table.

Regards,
 Todd R.


-----Original Message-----
From:
freeradius-users-bounces+tjrlist=lightwavetech.com at lists.freeradius.org
[mailto:freeradius-users-bounces+tjrlist=lightwavetech.com at lists.freeradius.
org] On Behalf Of Todd R.
Sent: Friday, December 19, 2008 3:30 PM
To: 'FreeRadius users mailing list'
Subject: RE: Restricting dialup users to certain client definitions only

Jeff & List,

 Thanks, this seems fairly simple so I gave a whirl.. For the last two hours
or so :( No joy.. 

Of course, it's entirely possible I totally missed your point.

Here is what I tried:

I have a user called "user" who is assigned to the "dialusers-t" user group
in the "radusergroup" table.

I am using NTradPing from my laptop located at let's say 5.6.7.8 which
correctly shows up in the debug as Client-IP-Address.

Now I wanted to test to see if I could put a rule (based on what you showed
me) into the radcheck table and get a reject in my test client based on the
fact that the Client-IP-Address I am connecting from with my test client is
not the one allowed in my radcheck table for the group the user belongs to.

Here is the rule:
ID: xxx
GroupName: dialusers-t
Attribute: Client-IP-Address
OP: ==
Value: 5.6.7.21

So, I thought that this would not allow a user from a client ip unless it
was 5.6.7.21. So I tried to auth from my test client located at an IP
address OTHER than 5.6.7.21 and I still get an accept.

I have played around with different operators and such but still no luck.

Any ideas?

Thanks!

Regards,
 Todd R.





More information about the Freeradius-Users mailing list