Selecting authentication based on NAS-IP-Address or Client IP Address

Alan DeKok aland at deployingradius.com
Sat May 18 14:28:14 CEST 2013


Jeremiah Peterson wrote:
> I see that it is possible to create realms and have each realm use a different proxy, but what I am more interested in is having the authentication method be selected based on client.
> 
> For example:
> 
> If the request comes from IP 10.10.10.10 and user bob then use home_server_pool xxx (and return attribute "blah blah blah")
> If the request comes from IP 10.20.20.20 and user bob then use home_server_pool yyy (and return attribute "yadda yadda yadda")
> If the request comes from IP 10.30.30.30 and user bob then use home_server_pool zzz (and return results from SQL query "xxxxx")

  Most of this can be done via "unlang".  It has if/then/else checks,
just like you wrote above.  You can even update the control items to
have "Home-Server-Pool := xxx".

> I can see how this is done when making the user enter a realm name or prefix or suffix to the username, but I don't want to do that for every authentication.  I want the authentication method to be selected based on the client.

  You can select the *source* for authentication credentials.  You can't
select the authentication *method*.  The client selects that.  (PAP,
CHAP, etc.)

> I have been searching for details on all the configuration files but I am not finding anything very conclusive or explanatory on how to build custom sites.

  It's pretty simple:

	if ((Packet-Src-IP-Address == 10.10.10.10) && (User-Name == "bob")) {
		update control {
			Home-Server-Pool := "xxx"
		}
	}


  You can't edit the reply here, because it's set by the home server.
You'll need to set the reply in post-auth.

  Alan DeKok.


More information about the Freeradius-Users mailing list