Fletcher Mattox <[EMAIL PROTECTED]> wrote: > That's a shame. The NAS is a Cisco 3000 VPN Concentrator. I want to make > an authentication decision based on this IP address. I notice that it > *does* send it in an accounting packet one second later, because radiusd > logs it in /var/log/radacct/1.2.3.4/detail, and because it appears in > radutmp and radwtmp. Can you think of any clever way I can use this > information for authentication?
I'm afraid the only way to do so is to have Framed-IP-Address in the Access-Request. It is a chicken-and-egg problem: for the NAS to send Accounting-Request it must first receive an Access-Accept packet from the radius server, and the latter can send it only if it knows Framed-IP-Address, which is available only in the Accounting-Request. Perhaps Cisco is sending some other attribute that can be used in place of Framed-IP-Address? For example, according to RFC 2865, an Access-Request should contain NAS-Port or NAS-Port-Type attribute. Could these be used for your purpose? Regards, Sergey _______________________________________________ Help-gnu-radius mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnu-radius
