Matching in VSA

Kenroy bennettk9999 at gmail.com
Fri Apr 14 03:04:23 CEST 2017


Also you have to know what your device. Get a dictionary file and get an
understanding of what VSA it sends in its request. Also  most  systems if
not all will also send "NAS-IP-Address" AVP  which contains the ip address
of the client.

On Thu, Apr 13, 2017 at 9:00 PM, Kenroy <bennettk9999 at gmail.com> wrote:

> Hi Nolan,
>
> Freeradius policy files are stored in /etc/freeradius/policy.d  . You can
> take a look at these and read the  freeradius wiki to get an idea on how to
> create one.
>
> Here is an example of a policy I used for a Nomadix access gateway to
> authenicate users on a specific  VLAN.
>
> I hope this helps :)
> ------------------------------------------------------
>
>
>
>
> halcyon {
>
> if( &request:NAS-Port == 2030 ){
>
> update control {
>         Auth-Type := Accept
>
>
> }
>
> update reply {
>
>         Nomadix-Group-Bw-Policy-Id  = 3
>         Nomadix-Group-Bw-Max-Down = 30000
>         Nomadix-Group-Bw-Max-Up = 30000
>         Nomadix-Net-VLAN = 2030
>         Idle-Timeout =  18000
>         Session-Timeout = 36000
>
>
>
>         }
>
> }
>
>
>
>
> }
> ----------------------------------------------------
>
>
>
>
>
>
> On Thu, Apr 13, 2017 at 8:49 PM, Noah <noah-list at enabled.com> wrote:
>
>> Kenroy - are there any examples out there of this?
>>
>> Cheers,
>>
>> Noah
>>
>>
>>
>> On 4/13/17 4:35 PM, Kenroy wrote:
>>
>>> If the device has an attribute that sends that information in its
>>> request,
>>> you can create a policy that checks that attribute value  and the actions
>>> you want.
>>>
>>> Regards,
>>> Kenroy
>>>
>>> On Thu, Apr 13, 2017 at 7:29 PM, Noah <noah-list at enabled.com> wrote:
>>>
>>> Hi,
>>>>
>>>> Thanks for your response, Alan.  More below.
>>>>
>>>> On 4/13/17 12:59 PM, Alan DeKok wrote:
>>>>
>>>> On Apr 13, 2017, at 3:46 PM, Noah <noah-list at enabled.com> wrote:
>>>>>
>>>>> I need to be able to match a client request with a specific key.  I
>>>>>> generally do this by matching IPs in the clients.conf file.\
>>>>>>
>>>>>>
>>>>>   Ok...
>>>>>
>>>>> Is there any way to match to a Vendor specific attribute?  For instance
>>>>>
>>>>>> if the request comes in from a specific vendor-id in the request I
>>>>>> could
>>>>>> match based on that and a specific radius secret key is used for the
>>>>>> radius
>>>>>> authentication session.
>>>>>>
>>>>>>
>>>>>   I'm not sure what that means.
>>>>>
>>>>>   For FreeRADIUS, all attributes are just attributes.  It doesn't
>>>>> matter
>>>>> if they're "normal" ones or VSAs.  All of the attribute matching and
>>>>> comparison is done via standard methods.  See "man unlang".
>>>>>
>>>>>   if you're asking whether you can match clients based on some
>>>>> information... the answer is "no".  Clients are matched based on IP
>>>>> address
>>>>> (or network).  See raddb/clients.conf.
>>>>>
>>>>>   Alan DeKok.
>>>>>
>>>>>
>>>>> Is there any way to configure matching a request to a specific secret
>>>> based on the device type?
>>>>
>>>> Cheers,
>>>>
>>>> Noah
>>>>
>>>>
>>>> -
>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>>> /users.html
>>>>
>>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>> /users.html
>>>
>>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
>>
>
>


More information about the Freeradius-Users mailing list