user from particular NAS-IP-Address
Matthew Newton
mcn4 at leicester.ac.uk
Sun May 26 19:48:41 CEST 2013
Pete,
On Sat, May 25, 2013 at 02:31:12PM -0600, Pete Ashdown wrote:
> I'm trying to restrict a guest user from a single NAS-IP-Address via "users"
> and I can't get it to work.
>
> Doesn't work:
>
> test NAS-IP-Address == "127.0.0.1"
> Auth-Type := Accept
Try:
test NAS-IP-Address == "127.0.0.1", Auth-Type := Accept
The first line is matches against the incoming request packets,
and setting things in the control list. The subsequent lines are
entries for the reply packet. Auth-Type is a control item. This is
documented in the users file - read it carefully and look at the
examples, such as "deny access for a group of users".
But for restricting users, I doubt you want "Accept"! :)
> Also, how would I do this for a group of NAS IP addresses? Is it possible to
> assign them to a group in "clients.conf" that can be later checked against in
> "users"? Where is the documentation of what can be tested against in the
> "users" file?
Add entries in the huntgroups file:
blockednaslist NAS-IP-Address == 127.0.0.1
blockednaslist NAS-IP-Address == 127.0.1.1
then use something like this in users:
testuser Huntgroup-Name == "blockednaslist", Auth-Type := Reject
Don't forget that NAS-IP-Address can be spoofed if you permit NASes
not under your own control.
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list