Best method to filter on calling-station-ID/IP Address?
D J
djohnson50000 at gmail.com
Tue Oct 14 23:14:54 CEST 2008
All,
I have VPN users who connect to a Cisco ASA firewall, which authenticates
using radius off of Freeradius. I would like to enforce which IP addresses
users may connect from. Am I correct to assume the Radius server is the
best place to perform this?
If so, what is the best way to go about doing this? Since our users.conf is
programitcally generated, hopefully the changing part of the configuration
can be isolated to this file? Below is an example login from the
free-radius server. I want to filter on "Calling-Station-Id", to enforce a
specified source IP which may vary by user.
Thanks!
rad_recv: Access-Request packet from host 3.3.3.3:1025, id=177, length=157
User-Name = "john"
User-Password = "xxxx"
NAS-Port = xxxx
Service-Type = Framed-User
Framed-Protocol = PPP
Called-Station-Id = "1.1.1.1"
Calling-Station-Id = "2.2.2.2"
NAS-Port-Type = Virtual
Tunnel-Client-Endpoint:0 = "4.4.4.4"
NAS-IP-Address = 3.3.3.3
Cisco-AVPair = "ip:source-ip=2.2.2.2N\233"
Processing the authorize section of radiusd.conf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081014/c3b25beb/attachment.html>
More information about the Freeradius-Users
mailing list