Restricting dialup users to certain client definitions only
Todd R.
tjrlist at lightwavetech.com
Tue Dec 23 10:46:07 CET 2008
Only problem I see with this approach is that I have to assign every user to
two groups now in radusersgroup table.
Or.. Is there a better way?
--Todd R.
-----Original Message-----
From:
freeradius-users-bounces+tjrlist=lightwavetech.com at lists.freeradius.org
[mailto:freeradius-users-bounces+tjrlist=lightwavetech.com at lists.freeradius.
org] On Behalf Of Todd R.
Sent: Tuesday, December 23, 2008 3:43 AM
To: 'FreeRadius users mailing list'
Subject: RE: Restricting dialup users to certain client definitions only
Thanks.. I assumed that if something didn't match in the group that there
was a reject. I was unsure how to make it reject if something didn't match
in the group.
I just figured out how to do this I think.
I set up another group called dialusers-denied and then assigned the user to
two groups like so:
Testuser > dialusers > priority 1
Testuser > dialusers-denied > priority 2
For dialusers I set the client-ip-address check, if there is a match then
the attributes are sent and all is well.
For dialusers-denied group I set a check item for Auth-Type Reject.
If the check item/s fail for dialusers those attributes aren't sent but it
then falls through to dialusers-denied group and sends the Auth-Type Reject.
This seems to work, hopefully I got it now and this is the way it's suppose
to be done.
Just took me a while to get how to reject if a check didn't match.
Things works in my testing but if I am going down the wrong road, please let
me know.
Thanks!
--Todd R.
-----Original Message-----
From:
freeradius-users-bounces+tjrlist=lightwavetech.com at lists.freeradius.org
[mailto:freeradius-users-bounces+tjrlist=lightwavetech.com at lists.freeradius.
org] On Behalf Of tnt at kalik.net
Sent: Tuesday, December 23, 2008 3:34 AM
To: FreeRadius users mailing list
Subject: RE: Restricting dialup users to certain client definitions only
>OK, took me a while but here is the SQL dump and the Debug output. One
thing
>that's interesting is that I only seem to get my reply attributes from the
>radgroupreply table when I am coming from the allowed client-ip-address,
>when coming from any other IP I still get an accept but I get not reply
>attributes. So, FR seems to know the difference but I guess I am just not
>sending the reject or something?
>
That's how groups work. If a group check doesn't match - group reply
attributes are ignored. User doesn't get rejected if one of the groups
he belongs to doesn't match. SQL is a storage fascility - it's not an
authentication method.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list