Selecting authentication based on NAS-IP-Address or Client IP Address

Jeremiah Peterson gamerj at gmail.com
Wed May 22 00:42:58 CEST 2013 

Thanks Alan.

I have been researching what you said and have seen from debug that the =
code you gave me seems to be accepted by the server when it is =
processed. I put the code in the authorize section of the =
/etc/freeradius/sites-enabled/default.

I get:

Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.10.10.10 port 51690, id=3D9, =
length=3D43
       User-Name =3D "noo"
       User-Password =3D "smartcity123"
# Executing section authorize from file =
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[IPASS] No '/' in User-Name =3D "noo", looking up realm NULL
[IPASS] Found realm "DEFAULT"
[IPASS] Adding Stripped-User-Name =3D "noo"
[IPASS] Adding Realm =3D "DEFAULT"
[IPASS] Proxying request from user noo to realm DEFAULT
[IPASS] Preparing to proxy authentication request to realm "DEFAULT"
++[IPASS] returns updated
++? if (Packet-Src-IP-Address =3D=3D 10.10.10.10)
       expand: %{Packet-Src-IP-Address} -> 10.10.10.10
? Evaluating (Packet-Src-IP-Address =3D=3D 10.10.10.10) -> TRUE
++? if (Packet-Src-IP-Address =3D=3D 10.10.10.10) -> TRUE
++- entering if (Packet-Src-IP-Address =3D=3D 10.10.10.10) {...}
+++[control] returns updated
++- if (Packet-Src-IP-Address =3D=3D 10.10.10.10) returns updated
[suffix] Request already proxied.  Ignoring.
++[suffix] returns ok
 WARNING: Empty pre-proxy section.  Using default return values.
Sending Access-Request of id 122 to 10.200.0.1 port 1812
       User-Name =3D "noo"
       User-Password =3D "test"
       NAS-IP-Address =3D 10.10.10.10
       Proxy-State =3D 0x3130
Proxying request 0 to home server 10.200.0.1 port 1812
Sending Access-Request of id 122 to 10.200.0.1 port 1812
       User-Name =3D "noo"
       User-Password =3D "test"
       NAS-IP-Address =3D 10.10.10.10
       Proxy-State =3D 0x3130
Going to the next request




So it looks like it evaluates the unlang correctly, but it doesn't =
change the home server pool to the intended pool.



Is the unlang supposed to be in the authorize section as I suspect?  =
(NEWPOOL is the pool I want to choose)

Here is some config (the relevant part anyway)



root at FreeRADIUS:/etc/freeradius# cat sites-enabled/default
authorize {
       preprocess
       IPASS
   if(Packet-Src-IP-Address =3D=3D 10.10.10.10) {
     update control {
      Home-Server-Pool =3D NEWPOOL
     }
   }
       suffix
}
........................................


root at FreeRADIUS:/etc/freeradius# cat proxy.conf
proxy server {
       default_fallback =3D no
}
home_server default {
       type =3D auth+acct
       ipaddr =3D 10.200.0.1
       port =3D 1812
       secret =3D gdsa
}
home_server primary {
       type =3D auth+acct
       ipaddr =3D 10.100.0.1
       port =3D 1812
       secret =3D secret
}

home_server_pool DEFAULT {
       home_server =3D default
}
home_server_pool NEWPOOL {
       home_server =3D primary
}

realm DEFAULT {
       auth_pool =3D DEFAULT
}


I am still learning and researching.  I just can't find enough =
documentation out there which is why I turned to the mailing list.  =
Thanks for your assistance.
On May 18, 2013, at 5:36 AM, Alan DeKok-2 [via FreeRADIUS] <ml-node+s1045715n5720262h64 at n5.nabble.com> wrote:

> Jeremiah Peterson wrote: 
> > I see that it is possible to create realms and have each realm use a different proxy, but what I am more interested in is having the authentication method be selected based on client. 
> > 
> > For example: 
> > 
> > If the request comes from IP 10.10.10.10 and user bob then use home_server_pool xxx (and return attribute "blah blah blah") 
> > If the request comes from IP 10.20.20.20 and user bob then use home_server_pool yyy (and return attribute "yadda yadda yadda") 
> > If the request comes from IP 10.30.30.30 and user bob then use home_server_pool zzz (and return results from SQL query "xxxxx") 
> 
>   Most of this can be done via "unlang".  It has if/then/else checks, 
> just like you wrote above.  You can even update the control items to 
> have "Home-Server-Pool := xxx". 
> 
> > I can see how this is done when making the user enter a realm name or prefix or suffix to the username, but I don't want to do that for every authentication.  I want the authentication method to be selected based on the client. 
> 
>   You can select the *source* for authentication credentials.  You can't 
> select the authentication *method*.  The client selects that.  (PAP, 
> CHAP, etc.) 
> 
> > I have been searching for details on all the configuration files but I am not finding anything very conclusive or explanatory on how to build custom sites. 
> 
>   It's pretty simple: 
> 
>         if ((Packet-Src-IP-Address == 10.10.10.10) && (User-Name == "bob")) { 
>                 update control { 
>                         Home-Server-Pool := "xxx" 
>                 } 
>         } 
> 
> 
>   You can't edit the reply here, because it's set by the home server. 
> You'll need to set the reply in post-auth. 
> 
>   Alan DeKok. 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> 
> If you reply to this email, your message will be added to the discussion below:
> http://freeradius.1045715.n5.nabble.com/Selecting-authentication-based-on-NAS-IP-Address-or-Client-IP-Address-tp5720259p5720262.html
> To unsubscribe from FreeRADIUS, click here.
> NAML

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130521/42ae8886/attachment-0001.html>

More information about the Freeradius-Users mailing list