IP address allocation based on certificate attributes
Alan DeKok
aland at deployingradius.com
Sat Oct 18 03:47:51 CEST 2014
janet long wrote:
> I know that certificate authentication is bread and butter for Radius,
> but I have a more granular requirement.
That's why you use FreeRADIUS. :)
> The user certificates are setup according to different countries, and
> cities etc where the users are based, e.g. within the Subject field is
> an attribute C=GB or C=US etc.
> I need to be able to allocate US users to one range of IP addresses, and
> UK users to another range of IP addresses - based solely on those
> attributes.
See raddb/sites-available/default in the recent releases of version 2.
You can query many of the certificate fields. Look for "TLS-"
> Is this possible? Can it be done in configuration, or would it require
> coding?
It can be done without any coding changes.
Just check the TLS-Cert-Subject attribute. Look for "C=..", via a
regex, and then use the country code as a key to choose an IP pool. It
takes 3-4 steps, but it's all relatively straightforward.
Alan DeKok.
More information about the Freeradius-Users
mailing list