If the request cones from a device that isn't in your clents.conf it will be rejected, so you needn't bother with all this. Server doesn't accept packets from unknown devices. It's a basic security feature.
Ivan Kalik Kalik Informatika ISP Dana 6/6/2007, "Brian Johnson" <[EMAIL PROTECTED]> piše: >Hello again all, > >Thanks to the folks who responded to my earlier plea with regards to >authenticating many Cisco devices using radius. I'm trying to weigh >my options and see which direction I want to go. > >One Idea I had after sending mail to the list was, have a sort of >"catch-all" line at the end of the users file, so that if the radius >server hears a request from a device where the client-ip-address isn't >specified already in the file, it would look in our custom group file >for authorized users and allow them entry. Here's an idea of what I'm >thinking: > > >DEFAULT Auth-Type = Kerberos > Fall-Through = 1 >DEFAULT Client-IP-Address == 10.0.0.60, Huntgroup-Name == group1 >DEFAULT Client-IP-Address == 10.0.0.226, Huntgroup-Name == group2 >DEFAULT Called-Station-Id == 5551234, Custom-Group == "dept800" > Service-Type = Framed-User, > Framed-Protocol = PPP, > Framed-Routing = Broadcast-Listen, > Framed-MTU = 1500, > Session-Timeout = 28800, > Idle-Timeout = 28800, > Framed-Compression = Van-Jacobson-TCP-IP >DEFAULT Called-Station-Id == 5551234, Auth-Type := Reject >.... >and at the end: >DEFAULT Custom-Group == "routerfolk" >DEFAULT Auth-Type := Reject > >My thinking is, if the request comes from a device where the >client-ip-address is specified, then it will let it through. If it >comes from a device where the client-ip-address is not specified, then >it will hit the next to the last line of the file, check the >custom-group file and see if the user exists in it. If they do, >they're authenticated on the device. If they don't exist in the file, >then they'll hit the last line and be rejected. > >However, what I've found in practice is, even if a request is heard >from a device where the client-ip-address is specified above, they're >still being rejected by the last line. Is there any way that I can >tell the last line to reject *only* if there isn't a match previous to >it? > >Thanks again for any help! > >Brian > > >-- >Brian Johnson >"And I will be even more undignified than this, and will be humble in >my own sight." (2 Samuel 6:22) >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html