Filter OpenLDAP users account upon Freeradius 3.0.10 NAS-Port-Id
Alan DeKok
aland at deployingradius.com
Sun Dec 13 16:06:00 CET 2015
On Dec 12, 2015, at 5:21 PM, François Lacombe <fl.infosreseaux at gmail.com> wrote:
> My roadwarrior users always use the same public IP address to reach it
> but can ask for different ids during the IKEv2 process (strongswan's
> ipsec.conf left|rightid parameters)
> To each id correspond a tunnel IP configuration and thus give access
> to different LAN depending of the L3 routing/firewall.
OK.
> The current question, and this is where freeradius+ldap are useful, is
> to know if each user is allowed to access to a given network area.
> Strongswan informs the radius of which connection configuration the
> user is asking for in the NAS-Port-Id.
That's good to know. It would have been helpful to say that at the start. Otherwise it's hard to tell what you're really doing.
> In my situation, all users are roadwarriors, may use any public IP
> they can depending of their location and it can't be part of any
> stable conf.
Those people do not send RADIUS packets. The OpenSWAN system sends RADIUS packets. Therefore, the NAS-IP-Address *should* always be the IP of the OpenSWAN system.
>>> Is this the same with NAS-Port Id?
>>> Should I take care of that ?
>>
>> Define what you mean "take care of that" ?
>
> To conform to the RFC2865 guidelines.
I still have no idea what that means. Perhaps you could explain in detail.
Alan DeKok.
More information about the Freeradius-Users
mailing list