Requiring a valid user-group-groupcheck before sending a response
Benjamin Oh
ben at mobilegun.com
Mon Feb 1 23:30:44 CET 2016
Is it possible to authenticate or deny a request based on the radgroupcheck
and radusergroup being 'satisfied'? Basically I want to make sure that all
3 of the following are satisfied:
1) the user is in a proper group (radusergroup)
2) the request is coming from a valid IP (radgroupcheck using
NAS-IP-Address)
3) the user/password is valid of course (radcheck)
The issue I have is a user can supply a valid user/password combination,
but not have the required group membership in radusergroup, but still be
pass authentication which only looks at radcheck (user/password) and
nothing else. My desire is to be able to isolate different environments by
group and NAS-IP-Address. There may be a much more elegant way of getting
this done, which I'm open to as well.
More information about the Freeradius-Users
mailing list