Restricting certain users access to certain NAS devices

Alan DeKok aland at
Sun Jun 6 10:34:59 CEST 2010

Whitmarsh Mark (Leeds Teaching Hospitals NHS Trust) wrote:
> Thanks Alan. I've got that bit working now.
> However, I can't get my check on the NAS-IP-Address attribute to work.
> I now have this config:

  OK... that should configure two groups.

> File sites-enabled/default - post-auth section
>         etc_group
>         nas_group

  Which adds the User_Group_Name attribute to the request, as documented
in "man rlm_passwd", and raddb/modules/passwd.

>         exec
>         #if ("%{NAS-IP-Address}" == {

  FYI: this could be simpler

	if (NAS-IP-Address == {

>         #       update reply {
>         #               Reply-Message := "Mark Whitmarsh not allowed here"
>         #       }
>         #       reject
>         #}
>         if ("%{User_Group_Name}" == path_group) {

  Again:  if (User_Group_Name == path_group) {

> In debug nas_group always returns notfound. If I change the nas_group module to use Calling-Station-Id for example then it successfully returns my IP address (
> Is it because NAS-IP-Address is type ipaddr that it doesn't find it in the nas_group file?

  It shouldn't be.

  So... what does debug mode say?

  Alan DeKok.

More information about the Freeradius-Users mailing list