On 23 Aug 2013, at 18:30, Nikolaos Milas <nmi...@noa.gr> wrote:
> On 23/8/2013 7:25 μμ, Arran Cudbard-Bell wrote:
>
>> See ldap_xlathttp://wiki.freeradius.org/modules/Rlm_ldap
>>
>> Use a query that searches for the value of NAS-IP-Address in the user object
>> in a custom attribute.
>>
>> If the query expands to something other than a zero length string, the
>> attribute exists.
>>
>> authorize {
>> if ("%{ldap:<query>}" == '') {
>> reject
>> }
>> }
>
> Thanks Aran,
>
> I'll focus on the 1st part for now.
>
> I understand that the value of NAS-IP-Address (CheckItem)
> can be checked against '%{Packet-Src-IP-Address}'. Right?
You could check they're the same... yes.
If you want to retrieve the single authorized NAS a device is allowed to
connect to, and then check it against Packet-Src-IP-Address then you could do
it with the query below.
> authorize {
> if ("%{ldap:<query>}" == '%{Packet-Src-IP-Address}') {
> # accept
> update control {
> Auth-Type := Accept
> }
> }
> else {
> reject
> }
> }
>
> Is there a way to also check the port of the NAS being used by the host to
> connect as well (I guess the NAS should provide this info somehow during
> auth)?
Run freeradius with -X, see what attributes are being sent.
It'll either be in NAS-Port or NAS-Port-ID if the NAS is providing that
information.
-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
