Freeradius configuration examples for switch dynamic ACLs.
Alan DeKok
aland at deployingradius.com
Sun Oct 3 23:26:44 CEST 2021
On Oct 3, 2021, at 5:14 PM, CpServiceSPb <cpservicespb at gmail.com> wrote:
>
> There is Freeradius 3.0.23 on Ubuntu 18.04LTS x64 and some HPE and
> Mikrotik managed switches with HP-NAS-Filter-Rule and
> Mikrotik-Switching-Filter Radius attributes (rfc4849) supporting.
OK.
> I want to restrict src-address for each switch physical port after success
> authentication, for example:
> - switch port 1, MAC a1:b1:c1:d1:e1:f1 - allowing src IP is 192.168.0.20
> only, all other IPs are denied;
> - switch port 2, MAC a2:b2:c2:d2:e2:f2 - allowing src IP is 192.168.0.30
> only, all other IPs are denied;
> - switch ports 3-16, MAC a3:b3:c3:d3:e3:f3 - allowing src IP is
> 192.168.0.40 only, all other IPs are denied.
>
> May somebody tell where, which configuration files, should some attributes
> looks like
> HP-NAS-Filter-Rule = "allow port 1 MAC a1:b1:c1:d1:e1:f1 src-IP
> 192.168.0.20 dst-IP any"
> HP-NAS-Filter-Rule += "allow port2 MAC a2:b2:c2:d2:e2:f2 src-IP
> 192.168.0.30 dst-IP any"
> HP-NAS-Filter-Rule += "allow port3 MAC a3:b3:c3:d3:e3:f3 src-IP
> 192.168.0.30 dst-IP any"
> ....
> NAS-Filter-Rule += "allow port16 MAC a3:b3:c3:d3:e3:f3 src-IP 192.168.0.30
> dst-IP any"
> to be added to ?
Where you add these attributes depends on what kind of database you're using.
The simples is the "files" module. See mods-available/files, and
$ man rlm_files
> And what format is it ?
$ man unlang
$ man users
Alan DeKok.
More information about the Freeradius-Users
mailing list