Selecting authentication based on NAS-IP-Address or Client IP Address
Alan DeKok
aland at deployingradius.com
Sat May 18 14:28:14 CEST 2013
Jeremiah Peterson wrote:
> I see that it is possible to create realms and have each realm use a different proxy, but what I am more interested in is having the authentication method be selected based on client.
>
> For example:
>
> If the request comes from IP 10.10.10.10 and user bob then use home_server_pool xxx (and return attribute "blah blah blah")
> If the request comes from IP 10.20.20.20 and user bob then use home_server_pool yyy (and return attribute "yadda yadda yadda")
> If the request comes from IP 10.30.30.30 and user bob then use home_server_pool zzz (and return results from SQL query "xxxxx")
Most of this can be done via "unlang". It has if/then/else checks,
just like you wrote above. You can even update the control items to
have "Home-Server-Pool := xxx".
> I can see how this is done when making the user enter a realm name or prefix or suffix to the username, but I don't want to do that for every authentication. I want the authentication method to be selected based on the client.
You can select the *source* for authentication credentials. You can't
select the authentication *method*. The client selects that. (PAP,
CHAP, etc.)
> I have been searching for details on all the configuration files but I am not finding anything very conclusive or explanatory on how to build custom sites.
It's pretty simple:
if ((Packet-Src-IP-Address == 10.10.10.10) && (User-Name == "bob")) {
update control {
Home-Server-Pool := "xxx"
}
}
You can't edit the reply here, because it's set by the home server.
You'll need to set the reply in post-auth.
Alan DeKok.
More information about the Freeradius-Users
mailing list