IP locking with freeradius

[Iliya Peregoudov]

It seems you want to drop upstream IP packets if source IP address does 
not match source MAC address. And you have static table of IP-MAC pairs.

There are two cases where MAC address is relevant: Ethernet and PPPoE.

You can set static ARP entries to map IP address to MAC address on L3 
switch (e.g. on Ethernet router) . This will ensure that downstream 
traffic is always sent to correct Ethernet host. You can also enable 
"source IP address verification" on L3 switch subscriber faced 
interfaces (for example, Cisco calls this "IP Source Guard"). This will 
drop upstream IP packets with incorrect source IP address. No RADIUS 
interaction required, all is configured statically on L3 switch.

You can send packet filter that drops upstream packets with source IP 
address that is different from assigned one on PPPoE server in RADIUS 
Access-Accept. For example, using standard NAS-Filter-Rule attribute 
(your PPPoE server may support vendor-specific packet filters only):

update reply {
    NAS-Filter-Rule += "permit in ip assigned any"
    NAS-Filter-Rule += "permit out ip any assigned"
    NAS-Filter-Rule += "deny in ip any any"
    NAS-Filter-Rule += "deny in ip any any"
}

On 29.05.2013 21:45, Renan Rodrigues wrote:
> HI Everyone!
>
> There is something I am trying to do with radius and can't find how.
> (One month googling and nothing done...)
> What I want is to authenticate my users with their MAC and IP-ADDRESS,
> so, even if they have root-access to their systems, they can't change
> their IP-ADDRESS by themselves, because radius is going to reject then.
>
> Until now, I have a radius mac-authenticating and working together with
> dhcpd. I've tried to use ip-pool, that works, but someone still can
> change ip-address by hand and keep networking....
>
> So, it is possible to work this out?
>
> Thanks
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>