authorization: unlang/NAS-IP-Address

leopold vova_b at yahoo.com
Wed Jul 23 14:43:44 CEST 2008


Hi,
I am using freeradius 2.0.5 with MySQL, I am very new to Radius and
FreRadius so please pardon my ignorance

I need to reject user if his NAS-IP-Address input attribute does not match
check attributes defined for his group.
For example radgroupcheck
| 1 | GROUP1       | NAS-IP-Address | == | x.x.x.1                
| 2 | GROUP1       | NAS-IP-Address | == | x.x.x.2                
| 3 | GROUP1       | NAS-IP-Address | == | x.x.x.3                

      
If user is coming from NAS-IP-Address x.x.x.1 or x.x.x.2 or x.x.x.3 the user
should be accepted and reply attributes are sent back
If however if user is coming from NAS-IP-Address y.y.y.1 he should be
rejected (even in the case he provide a valid password and NAS y.y.y.1 is
properly defined in NAS table with a valid shared key)

Since I found that only one operator "==" for NAS-IP-Address check attrubute
can be found, I changed 
authorize_group_check_query, but still I managed to get reply list as empty
for invalid NAS-IP and expected attributes from valid NAS (which is part of
check attributes) but user is accepted in both cases.

Is there a way to check if "reply" list is empty in unlang (does not contain
ANY attributes)?
I tried this, but it does not work.
 if (!reply:[0]) {
               # reply list is empty
               reject
       }

Do you have any suggestions?

Thanks you very much for your reply.
-- 
View this message in context: http://www.nabble.com/authorization%3A-unlang-NAS-IP-Address-tp18609937p18609937.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.




More information about the Freeradius-Users mailing list