Restrict user only to a NAS
Brian Candler
B.Candler at pobox.com
Tue May 10 21:54:08 CEST 2011
On Tue, May 10, 2011 at 01:59:44PM -0300, Marcos TP wrote:
> Huntgroups I know, but the functionality it provides me not for me.
> I need the user only has permission to access a NAS, as much as I could
> with Huntgroups was to restrict the access group, because several
> groups have access, containing their speed and can not do the search
> for access group, but by concentrator.
Read the "unlang" documentation; then add some logic in the "authorize"
section of your server config. You don't even need huntgroups if you're
just authorizing a single NAS-IP-Address:
if ("%{control:Permitted-NAS}" && "%{control:Permitted-NAS}" != NAS-IP-Address) {
reject
}
However I'd suggest you use huntgroups for greater flexibility.
if ("%{control:Permitted-Huntgroup}" && "%{control:Permitted-Huntgroup}" != Huntgroup-Name) {
reject
}
Using this approach, you'd need to add a new attribute in your dictionary,
such as "Permitted-NAS" and "Permitted-Huntgroup" in the examples above (I
just picked these at random)
Then in the radcheck table for the user, set the control attribute:
Permitted-NAS := 1.2.3.4
That's one way to do it anyway.
> I think the lock should be in the Login table, where I have a field to
> indicate which NAS that User has access.
Ah, well if you have a custom schema, then you need to show the schema.
If you have a "users" table and you do a join to select the radcheck
attributes, then you could just change the query you're using, limiting it
to only matching the expected NAS-IP-Address or Huntgroup-Name:
... AND (permitted_nas = '%{NAS-IP-Address}'
OR permitted_nas IS NULL)
alternatively:
... AND (permitted_huntgroup = '%{Huntgroup-Name}'
OR permitted_huntgroup IS NULL)
Regards,
Brian.
More information about the Freeradius-Users
mailing list