Thanks Alan. I've got that bit working now. However, I can't get my check on the NAS-IP-Address attribute to work.
I now have this config: File dictionary ATTRIBUTE User_Group_Name 3003 string ATTRIBUTE Nas_Group_Name 3004 string File modules/etc_group passwd etc_group { filename = /etc/raddb/lth_group format = "~User_Group_Name:*,User-Name" hashsize = 50 ignorenislike = no allowmultiplekeys = yes delimiter = ":" } File modules/nas_group passwd nas_group { filename = /etc/raddb/nas_group format = "~Nas_Group_Name:*,NAS-IP-Address" hashsize = 50 ignorenislike = no allowmultiplekeys = yes delimiter = ":" } File lth_group path_group:user1,user2,user3,user4 comms_group:superuser1,superuser2,superuser3,superuser4 File nas_group path_nas_group:xxx.xxx.225.59,xxx.xxx.104.10 comms_nas_group:xxx.xxx.225.60 File sites-enabled/default - post-auth section etc_group nas_group exec #if ("%{NAS-IP-Address}" == xxx.xxx.225.59) { # update reply { # Reply-Message := "Mark Whitmarsh not allowed here" # } # reject #} if ("%{User_Group_Name}" == path_group) { if ("%{Nas_Group_Name}" != path_nas_group) { update reply { Reply-Message := "Pathology not allowed here" } reject } } Post-Auth-Type REJECT { attr_filter.access_reject } In debug nas_group always returns notfound. If I change the nas_group module to use Calling-Station-Id for example then it successfully returns my IP address (xxx.xxx.104.10). Is it because NAS-IP-Address is type ipaddr that it doesn't find it in the nas_group file? Mark. ________________________________________ From: freeradius-users-bounces+mark.whitmarsh=nhs....@lists.freeradius.org [freeradius-users-bounces+mark.whitmarsh=nhs....@lists.freeradius.org] On Behalf Of Alan DeKok [al...@deployingradius.com] Sent: 27 May 2010 17:02 To: FreeRadius users mailing list Subject: Re: Restricting certain users access to certain NAS devices Whitmarsh Mark (Leeds Teaching Hospitals NHS Trust) wrote: > Sorry, I should have mentioned I already tried man rlm_passwd and couldn't > figure it out. > I've been through it again and have made the following changes: > > 1. created a file /etc/raddb/path_group > path_group:user1,user2,user3,user4,user5 > > 2. Added the following to /etc/raddb/dictionary > ATTRIBUTE User_Group_Name 3003 string > > 3. Added to modules/passwd > filename = /etc/raddb/path_group > hashsize = 20 > allowmultiplekeys = yes > format = "~User_Group_Name:*,User-Name" > > 4. Also edited modules/etc_group because I couldn't make out which file to > put these items in > passwd etc_group { > filename = /etc/raddb/path_group > format = "~User_Group_Name:*,User-Name" > hashsize = 50 > ignorenislike = no > allowmultiplekeys = yes > delimiter = ":" > } > > 5. Inserted this into the post-auth section of sites-enabled/default > > if ("%{User_Group_Name}" == path_group) { You should list "etc_group" in the post-auth section. The module will be loaded, and will add the User_Group_Name attribute. > Debug output is: Which shows that the etc_group module isn't used when a packet is received. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ******************************************************************************************************************** This message may contain confidential information. If you are not the intended recipient please inform the sender that you have received the message in error before deleting it. Please do not disclose, copy or distribute information in this e-mail or take any action in reliance on its contents: to do so is strictly prohibited and may be unlawful. Thank you for your co-operation. NHSmail is the secure email and directory service available for all NHS staff in England and Scotland NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and GSI recipients NHSmail provides an email address for your career in the NHS and can be accessed anywhere For more information and to find out how you can switch, visit www.connectingforhealth.nhs.uk/nhsmail ******************************************************************************************************************** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html