IP Address as User name

Darren Ward (darrward) darrward at cisco.com
Thu Feb 6 23:28:52 CET 2014


Hi Alan

Actually in cases where we do authorisation based on IP address such as in ISG we do need the IP or MAC as the username but you are correct I said clients when I meant users file

e.g. a WiFi user who gets an IP from DHCP then attempt to go through to the Internet - we have no auth details yet but have a need to control the session

It also worked out that my problem was that the users file was in two places on my system and I was editing the wrong one! So easily fixed

The entry in the users file would be:

192.168.10.10 Cleartext-Password := "cisco"
	xxxxx attributes list;

Here's a snippet of ISG config:

!
 class type control always event session-start
  20 service-policy type service name WIFI_OPENGARDEN_SERVICE
  40 service-policy type service name WIFI_L4REDIRECT_SERVICE
  60 authorize aaa list IP_AUTHOR_LIST password cisco identifier source-ip-address
!

What this does is when a new subscriber appears on the system it contacts the AAA servers in the list IP_AUTHOR_LIST and authorises using the IP address on the incoming session with a password of cisco    - all before the user has to authenticate to say a web portal or accept some T&C's

This is for IPoE or IP sessions rather than PPP/PPPoE etc which has built in AAA

Of course once they login via a web-portal we can change the services activated by sending a CoA to the gateway

Darren


-----Original Message-----
From: freeradius-users-bounces+darrward=cisco.com at lists.freeradius.org [mailto:freeradius-users-bounces+darrward=cisco.com at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Friday, 7 February 2014 5:59 AM
To: FreeRadius users mailing list
Subject: Re: IP Address as User name

Darren Ward (darrward) wrote:
> I’m struggling with getting an IP address to eb accepted as a username 
> in the clients file and suspect it’s somehow being filtered but I 
> can’t find where

  That question is very confused.  You don't mean the "clients" file.
You mean the "users" file.  Computers are particular about that kind of thing.

  And you can't get IP's accepted as a User-Name.  They're a different attribute.

> I’ve create a user like:
> 
> Test Cleartext-Password := “test”
>  
> And using radtest can get an access-accept

  Because that's how it works.

> but when I try: 
> 
> 1.1.1.1     Cleartext-Password := “test”
> 
> I get an access-reject and it has a noop against the files in the 
> debug

  Because the "users" file is keyed by User-Name.  Read the comments at the top of the "users" file.  This is documented.

> I have tried in quotes as well but no luck

  Have you tried reading raddb/modules/files?  This is documented.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list