Norbert Grochal wrote:
I want to disallow login to access points for every hosts that are not
in my network.
So at the end of /usr/local/etc/raddb/users file I put regular
expression that checks if Calling-Station-Id IS NOT in list of my
hosts...
DEFAULT Auth-Type := REJECT, Calling-Station-Id !~
"008012323244|002938475473|<and many other macs...>"
Don't do that. It's ugly. Use rlm_passwd. See "man rlm_passwd".
That lets you list all of the MACs in one flat text file, which is a
LOT easier to manage by a script than the "users" file.
I still haven't idea how to do it, may you show me any example?
The man page is pretty clear
Do something like:
modules {
passwd mac2ok {
filename = /etc/raddb/mac2ok
format = "*Calling-Station-Id:~My-Local-String"
hashsize = 100
}
# other modules
}
authorize {
preprocess
mac2ok
files
# other modules
}
Make "/etc/raddb/mac2ok" read:
008012323244:ok
002938475473:ok
...then in "users" put:
DEFAULT My-Local-String != "ok", Auth-Type := Reject
Reply-Message = "calling station id not allowed",
Fall-Through = No
# Other config items
Depending on the version of the server, you might need the following in
/etc/raddb/dictionary:
ATTRIBUTE My-Local-String 3000 string
...where 3000 can be any number between 3000 and 4000 and
My-Local-String is an arbitrary name you can use for a local config
attribute.
Is it possible to 'mark' good request and then at the end of users file
write
DEFAULT Auth-Type := REJECT, REQUEST_NOT_MARKED
??
Norboro
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html