Matching in VSA

Kenroy bennettk9999 at gmail.com
Fri Apr 14 03:00:51 CEST 2017 

Hi Nolan,

Freeradius policy files are stored in /etc/freeradius/policy.d  . You can
take a look at these and read the  freeradius wiki to get an idea on how to
create one.

Here is an example of a policy I used for a Nomadix access gateway to
authenicate users on a specific  VLAN.

I hope this helps :)
------------------------------------------------------




halcyon {

if( &request:NAS-Port == 2030 ){

update control {
        Auth-Type := Accept


}

update reply {

        Nomadix-Group-Bw-Policy-Id  = 3
        Nomadix-Group-Bw-Max-Down = 30000
        Nomadix-Group-Bw-Max-Up = 30000
        Nomadix-Net-VLAN = 2030
        Idle-Timeout =  18000
        Session-Timeout = 36000



        }

}




}
----------------------------------------------------






On Thu, Apr 13, 2017 at 8:49 PM, Noah <noah-list at enabled.com> wrote:

> Kenroy - are there any examples out there of this?
>
> Cheers,
>
> Noah
>
>
>
> On 4/13/17 4:35 PM, Kenroy wrote:
>
>> If the device has an attribute that sends that information in its request,
>> you can create a policy that checks that attribute value  and the actions
>> you want.
>>
>> Regards,
>> Kenroy
>>
>> On Thu, Apr 13, 2017 at 7:29 PM, Noah <noah-list at enabled.com> wrote:
>>
>> Hi,
>>>
>>> Thanks for your response, Alan.  More below.
>>>
>>> On 4/13/17 12:59 PM, Alan DeKok wrote:
>>>
>>> On Apr 13, 2017, at 3:46 PM, Noah <noah-list at enabled.com> wrote:
>>>>
>>>> I need to be able to match a client request with a specific key.  I
>>>>> generally do this by matching IPs in the clients.conf file.\
>>>>>
>>>>>
>>>>   Ok...
>>>>
>>>> Is there any way to match to a Vendor specific attribute?  For instance
>>>>
>>>>> if the request comes in from a specific vendor-id in the request I
>>>>> could
>>>>> match based on that and a specific radius secret key is used for the
>>>>> radius
>>>>> authentication session.
>>>>>
>>>>>
>>>>   I'm not sure what that means.
>>>>
>>>>   For FreeRADIUS, all attributes are just attributes.  It doesn't matter
>>>> if they're "normal" ones or VSAs.  All of the attribute matching and
>>>> comparison is done via standard methods.  See "man unlang".
>>>>
>>>>   if you're asking whether you can match clients based on some
>>>> information... the answer is "no".  Clients are matched based on IP
>>>> address
>>>> (or network).  See raddb/clients.conf.
>>>>
>>>>   Alan DeKok.
>>>>
>>>>
>>>> Is there any way to configure matching a request to a specific secret
>>> based on the device type?
>>>
>>> Cheers,
>>>
>>> Noah
>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>> /users.html
>>>
>>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
>>
>> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
> /users.html
>

More information about the Freeradius-Users mailing list