Restricting dialup users to certain client definitions only

Todd R. tjrlist at lightwavetech.com
Tue Dec 23 10:43:05 CET 2008


Thanks.. I assumed that if something didn't match in the group that there
was a reject. I was unsure how to make it reject if something didn't match
in the group.

I just figured out how to do this I think.

I set up another group called dialusers-denied and then assigned the user to
two groups like so:

Testuser > dialusers > priority 1
Testuser > dialusers-denied > priority 2

For dialusers I set the client-ip-address check, if there is a match then
the attributes are sent and all is well.

For dialusers-denied group I set a check item for Auth-Type Reject.

If the check item/s fail for dialusers those attributes aren't sent but it
then falls through to dialusers-denied group and sends the Auth-Type Reject.

This seems to work, hopefully I got it now and this is the way it's suppose
to be done.

Just took me a while to get how to reject if a check didn't match.

Things works in my testing but if I am going down the wrong road, please let
me know.

Thanks!

--Todd R.

-----Original Message-----
From:
freeradius-users-bounces+tjrlist=lightwavetech.com at lists.freeradius.org
[mailto:freeradius-users-bounces+tjrlist=lightwavetech.com at lists.freeradius.
org] On Behalf Of tnt at kalik.net
Sent: Tuesday, December 23, 2008 3:34 AM
To: FreeRadius users mailing list
Subject: RE: Restricting dialup users to certain client definitions only

>OK, took me a while but here is the SQL dump and the Debug output. One
thing
>that's interesting is that I only seem to get my reply attributes from the
>radgroupreply table when I am coming from the allowed client-ip-address,
>when coming from any other IP I still get an accept but I get not reply
>attributes. So, FR seems to know the difference but I guess I am just not
>sending the reject or something?
>

That's how groups work. If a group check doesn't match - group reply
attributes are ignored. User doesn't get rejected if one of the groups
he belongs to doesn't match. SQL is a storage fascility - it's not an
authentication method.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list