Assigning and checking against local attribute
Ara Varter
aravv at mail.com
Tue Nov 9 23:48:45 CET 2021
I would like specific users to be authorized against specific NAS IP
addresses (using FreeRADIUS 3.0.13). For example, user "user1" should
only be authenticated it the NAS-IP-Address is one of a set of IP
addresses.
First, a new local attribute called "My-NAS-Group" was created in the
/etc/raddb/dictionary file as a string.
Next, the /etc/raddb/mods-available/passwd file, there is a pointer to
the file 'test-groups.txt'.
passwd poc_groups {
filename = /etc/raddb/test-groups.txt
format = "*NAS-IP-Address:~My-NAS-Group"
hash_size = 300
ignore_nislike = no
allow_multiple_keys = no
}
The test-groups.txt file contains a mapping of IP address to a group
name. Based on the 'format' above, the idea is to assign the group
name to the local attribute 'My-NAS-Group'.
[root at server raddb]# more test-groups.txt
10.8.26.1:g1
10.8.151.137:g1
10.8.151.130:g2
Finally, I would like to use the 'My-NAS-Group' as a match criteria for
the user authentication. For example, in the 'users' file:
user1 Cleartext-Password := "hello", My-NAS-Group == "g1"
Service-Type = Login-User
In the /etc/raddb/sites-available/default file, the only change that
has been made is to enable 'unix' authentication. This is for
authenticating using the local linux server accounts, however this is
separate from what I'm trying to do here. In other words, there is no
local system account for user "user1".
From the debug output there is no reference to "My-NAS-Group" and the
authentication fails. The authentication works if the "My-NAS-Group"
is removed.
What additional configuration is needed in freeradius for the local
attribute "My-NAS-Group" to be used as a match criteria in the 'users'
file?
Thanks
A
More information about the Freeradius-Users
mailing list