On 23 Aug 2013, at 18:30, Nikolaos Milas <nmi...@noa.gr> wrote: > On 23/8/2013 7:25 μμ, Arran Cudbard-Bell wrote: > >> See ldap_xlathttp://wiki.freeradius.org/modules/Rlm_ldap >> >> Use a query that searches for the value of NAS-IP-Address in the user object >> in a custom attribute. >> >> If the query expands to something other than a zero length string, the >> attribute exists. >> >> authorize { >> if ("%{ldap:<query>}" == '') { >> reject >> } >> } > > Thanks Aran, > > I'll focus on the 1st part for now. > > I understand that the value of NAS-IP-Address (CheckItem) > can be checked against '%{Packet-Src-IP-Address}'. Right?
You could check they're the same... yes. If you want to retrieve the single authorized NAS a device is allowed to connect to, and then check it against Packet-Src-IP-Address then you could do it with the query below. > authorize { > if ("%{ldap:<query>}" == '%{Packet-Src-IP-Address}') { > # accept > update control { > Auth-Type := Accept > } > } > else { > reject > } > } > > Is there a way to also check the port of the NAS being used by the host to > connect as well (I guess the NAS should provide this info somehow during > auth)? Run freeradius with -X, see what attributes are being sent. It'll either be in NAS-Port or NAS-Port-ID if the NAS is providing that information. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html