-----Message d'origine-----
De :
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
.org] De la part de [EMAIL PROTECTED]
Envoyé : vendredi 1 décembre 2006 17:16
À : freeradius-users@lists.freeradius.org
Objet : differentiating radius attribute
Hi everybody,
I'm using freeradius to authenticate and authorize users to cisco
switches/routers/FW.
My issue is that i want to do aaa for 3 things on the same device: device
administrators login (telnet), for 802.1x EAP/MD5 (, and to manage firewall
FWSM ACLs (radius attribute in the response: filter-id=acl_name).
My question is how to differentiate this 3 needs by a radius attribute in
the request, to be able to send in the response only the good radius
authorization attribute depending on aaa type asking.
Could you run the radius server in debug mode (radius -X), and check what
Attributes are present in the Request. May be something like Service-Type,
Framed-Protocol, and NAS-Port could be used.
For instance this is a request from a PPP server:
rad_recv: Access-Request packet from host A.B.C.D:32776, id=171, length=136
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "MyLogin"
MS-CHAP-Challenge = 0xXXXXXX
MS-CHAP2-Response = 0xXXXXXXXX
NAS-IP-Address = X.Y.Z.T
NAS-Port = 0
And this is a request from a WiFi access (not on the same NAS though):
rad_recv: Access-Request packet from host A.B.C.D:1030, id=1, length=213
Message-Authenticator = 0xXXXXXXXXXXXXXXXX
Service-Type = Framed-User
User-Name = "anonymous"
Framed-MTU = 1492
State = 0xXXXXXXXXX
Called-Station-Id = "MACADDR:SSID"
Calling-Station-Id = "MACADDR"
NAS-Identifier = "AP_Name"
NAS-Port-Type = Wireless-802.11
Connect-Info = "802.11g"
EAP-Message = 0xXXXXXXXX
NAS-IP-Address = X.Y.Z.T
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
Check also in your NAS setup if you can add specific attributes to the
Request depending on the service used.
HTH,
Thibault
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
