Gene Mosley wrote: > Users are authenticating from systems that they should not be > authenticating from - we need to block authentication on a per system > (IP address) basis, not a per user basis.
You can do this in FreeRADIUS. Put users into different groups, and block the group from accessing particular systems. > Users should be allowed to authenticate from any system that they are > using _except_ a certain, specific list of IP addresses which would > basically be banned/blocked from authenticating. This can be done, too. > Is this something that FreeRADIUS can do? Yes. > I just started reading about it - and if nothing else it looks like > exec-program-wait might be used to test the IP address and return an > authentication failure? That will work, too, but will be less efficient. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html