Restricting certain users access to certain NAS devices
Alan DeKok
aland at deployingradius.com
Sun Jun 6 10:34:59 CEST 2010
Whitmarsh Mark (Leeds Teaching Hospitals NHS Trust) wrote:
> Thanks Alan. I've got that bit working now.
> However, I can't get my check on the NAS-IP-Address attribute to work.
>
> I now have this config:
OK... that should configure two groups.
> File sites-enabled/default - post-auth section
>
> etc_group
> nas_group
Which adds the User_Group_Name attribute to the request, as documented
in "man rlm_passwd", and raddb/modules/passwd.
> exec
> #if ("%{NAS-IP-Address}" == xxx.xxx.225.59) {
FYI: this could be simpler
if (NAS-IP-Address == xxx.xxx.225.59) {
> # update reply {
> # Reply-Message := "Mark Whitmarsh not allowed here"
> # }
> # reject
> #}
> if ("%{User_Group_Name}" == path_group) {
Again: if (User_Group_Name == path_group) {
> In debug nas_group always returns notfound. If I change the nas_group module to use Calling-Station-Id for example then it successfully returns my IP address (xxx.xxx.104.10).
> Is it because NAS-IP-Address is type ipaddr that it doesn't find it in the nas_group file?
It shouldn't be.
So... what does debug mode say?
Alan DeKok.
More information about the Freeradius-Users
mailing list