Filter OpenLDAP users account upon Freeradius 3.0.10 NAS-Port-Id

Alan DeKok aland at deployingradius.com
Sun Dec 13 16:06:00 CET 2015


On Dec 12, 2015, at 5:21 PM, François Lacombe <fl.infosreseaux at gmail.com> wrote:
> My roadwarrior users always use the same public IP address to reach it
> but can ask for different ids during the IKEv2 process (strongswan's
> ipsec.conf left|rightid parameters)
> To each id correspond a tunnel IP configuration and thus give access
> to different LAN depending of the L3 routing/firewall.

  OK.

> The current question, and this is where freeradius+ldap are useful, is
> to know if each user is allowed to access to a given network area.
> Strongswan informs the radius of which connection configuration the
> user is asking for in the NAS-Port-Id.

  That's good to know.  It would have been helpful to say that at the start.  Otherwise it's hard to tell what you're really doing.

> In my situation, all users are roadwarriors, may use any public IP
> they can depending of their location and it can't be part of any
> stable conf.

  Those people do not send RADIUS packets.  The OpenSWAN system sends RADIUS packets.  Therefore, the NAS-IP-Address *should* always be the IP of the OpenSWAN system.

>>> Is this the same with NAS-Port Id?
>>> Should I take care of that ?
>> 
>>  Define what you mean "take care of that" ?
> 
> To conform to the RFC2865 guidelines.

  I still have no idea what that means.  Perhaps you could explain in detail.

  Alan DeKok.




More information about the Freeradius-Users mailing list