Re: Different Authentication for several devices (severalNas-Ip-Address)
OK. If you devices put their IP addresses in Called-Station-Id field
there is no need to do rewrites. You can use regexp operators to
controll access as Called-Station-Id attribute is a string.
NAS1 NAS-IP-Address == proxyIP, Called-Station-Id =~ ^192.168.48.
Dev group(s) in reply
NAS2 NAS-IP-Address == proxyIP, Called-Station-Id =~ ^192.168.49.
Prod group(s) in reply
Ivan Kalik
Kalik Informatika ISP
You can leave this out proxy IP check if all traffic comes over the
proxy. You might need to escape periods in regexp.
Dana 23/7/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] piše:
Re-Hello ;-)
I search how i can do this but i don't find...
I want to do this :
If NAS-IP-Address == 192.168.48.0/24 -- Rewrite Calling-station-id to Dev
else
If NAS-IP-Address == 192.168.48.0/24 -- Rewrite Calling-station-id to Prod
else
Do nothing.
fi
fi
I don't know how check the NAS-IP-ADDRESS attribute and rewrite an other
attribute (Calling-Station-ID)..
Thank you for your help !!
NicolaS.
Selon [EMAIL PROTECTED]:
Hello,
Thank you for your help but I don't understand how you can make it.
Here my configuration that I try:
#Replae The Nas-Ip6address by Proxy-IP
attr_rewrite overwrite_nasip {
attribute = NAS-IP-Address
searchfor = .*
packet= packet
replacewith = 10.28.65.130
max_matches = 1
}
# Dev Eqpt : 192.168.48.0/24
attr_rewrite dev_equipment {
attribute = Calling-Station-Id
searchfor = .*
packet= packet
replacewith = Dev -- Replace String Dev for all Eqpts but not for
192.168.48.0/24!!
max_matches = 1
}
preproxy {
files
overwrite_nasip
dev_equipment
}
Here what I want :
1.
If [ NAS-IP-Address =~ 192.168.48.* ]
Calling-Station-Id = Dev
else
if [ NAS-IP-Address =~ 192.168.49.* ]
Calling-station-id = Prod
else
Calling-station-id = Any
fi
fi
2.
the proxy forwards the access-request to the radius server
3.
The radius server receives the acces-request
If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id == Dev ]
instance_openldap-Ldap-Group == CiscoDev
else
If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id = Prod ]
instance_openldap-Ldap-Group == CiscoProd
else
instance_openldap-Ldap-Group == CiscoOthers
fi
fi
Thank you for your assistance
Nicolas.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Authentication for several devices (severalNas-Ip-Address)
Called-Station-Id isn't equal to Nas-Ip-Address, it equal to the PC where I
initiate telnet Connection.
It's not equal to my Nas-Ip :(
So, i would change the called-station-id to Nas-Ip-Adress and Nas-Ip-Address to
proxy address.
Any idea ?
Selon [EMAIL PROTECTED]:
OK. If you devices put their IP addresses in Called-Station-Id field
there is no need to do rewrites. You can use regexp operators to
controll access as Called-Station-Id attribute is a string.
NAS1 NAS-IP-Address == proxyIP, Called-Station-Id =~ ^192.168.48.
Dev group(s) in reply
NAS2 NAS-IP-Address == proxyIP, Called-Station-Id =~ ^192.168.49.
Prod group(s) in reply
Ivan Kalik
Kalik Informatika ISP
You can leave this out proxy IP check if all traffic comes over the
proxy. You might need to escape periods in regexp.
Dana 23/7/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] pi¹e:
Re-Hello ;-)
I search how i can do this but i don't find...
I want to do this :
If NAS-IP-Address == 192.168.48.0/24 -- Rewrite Calling-station-id to Dev
else
If NAS-IP-Address == 192.168.48.0/24 -- Rewrite Calling-station-id to
Prod
else
Do nothing.
fi
fi
I don't know how check the NAS-IP-ADDRESS attribute and rewrite an other
attribute (Calling-Station-ID)..
Thank you for your help !!
NicolaS.
Selon [EMAIL PROTECTED]:
Hello,
Thank you for your help but I don't understand how you can make it.
Here my configuration that I try:
#Replae The Nas-Ip6address by Proxy-IP
attr_rewrite overwrite_nasip {
attribute = NAS-IP-Address
searchfor = .*
packet= packet
replacewith = 10.28.65.130
max_matches = 1
}
# Dev Eqpt : 192.168.48.0/24
attr_rewrite dev_equipment {
attribute = Calling-Station-Id
searchfor = .*
packet= packet
replacewith = Dev -- Replace String Dev for all Eqpts but not
for
192.168.48.0/24!!
max_matches = 1
}
preproxy {
files
overwrite_nasip
dev_equipment
}
Here what I want :
1.
If [ NAS-IP-Address =~ 192.168.48.* ]
Calling-Station-Id = Dev
else
if [ NAS-IP-Address =~ 192.168.49.* ]
Calling-station-id = Prod
else
Calling-station-id = Any
fi
fi
2.
the proxy forwards the access-request to the radius server
3.
The radius server receives the acces-request
If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id == Dev ]
instance_openldap-Ldap-Group == CiscoDev
else
If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id = Prod ]
instance_openldap-Ldap-Group == CiscoProd
else
instance_openldap-Ldap-Group == CiscoOthers
fi
fi
Thank you for your assistance
Nicolas.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Authentication for several devices (severalNas-Ip-Address)
Moreover, i use a proxy because in the huntgroup file, i can't use a CIDR
network just a Host IP.
Selon [EMAIL PROTECTED]:
OK. If you devices put their IP addresses in Called-Station-Id field
there is no need to do rewrites. You can use regexp operators to
controll access as Called-Station-Id attribute is a string.
NAS1 NAS-IP-Address == proxyIP, Called-Station-Id =~ ^192.168.48.
Dev group(s) in reply
NAS2 NAS-IP-Address == proxyIP, Called-Station-Id =~ ^192.168.49.
Prod group(s) in reply
Ivan Kalik
Kalik Informatika ISP
You can leave this out proxy IP check if all traffic comes over the
proxy. You might need to escape periods in regexp.
Dana 23/7/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] pi¹e:
Re-Hello ;-)
I search how i can do this but i don't find...
I want to do this :
If NAS-IP-Address == 192.168.48.0/24 -- Rewrite Calling-station-id to Dev
else
If NAS-IP-Address == 192.168.48.0/24 -- Rewrite Calling-station-id to
Prod
else
Do nothing.
fi
fi
I don't know how check the NAS-IP-ADDRESS attribute and rewrite an other
attribute (Calling-Station-ID)..
Thank you for your help !!
NicolaS.
Selon [EMAIL PROTECTED]:
Hello,
Thank you for your help but I don't understand how you can make it.
Here my configuration that I try:
#Replae The Nas-Ip6address by Proxy-IP
attr_rewrite overwrite_nasip {
attribute = NAS-IP-Address
searchfor = .*
packet= packet
replacewith = 10.28.65.130
max_matches = 1
}
# Dev Eqpt : 192.168.48.0/24
attr_rewrite dev_equipment {
attribute = Calling-Station-Id
searchfor = .*
packet= packet
replacewith = Dev -- Replace String Dev for all Eqpts but not
for
192.168.48.0/24!!
max_matches = 1
}
preproxy {
files
overwrite_nasip
dev_equipment
}
Here what I want :
1.
If [ NAS-IP-Address =~ 192.168.48.* ]
Calling-Station-Id = Dev
else
if [ NAS-IP-Address =~ 192.168.49.* ]
Calling-station-id = Prod
else
Calling-station-id = Any
fi
fi
2.
the proxy forwards the access-request to the radius server
3.
The radius server receives the acces-request
If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id == Dev ]
instance_openldap-Ldap-Group == CiscoDev
else
If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id = Prod ]
instance_openldap-Ldap-Group == CiscoProd
else
instance_openldap-Ldap-Group == CiscoOthers
fi
fi
Thank you for your assistance
Nicolas.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different Authentication for several devices(severalNas-Ip-Address)
[EMAIL PROTECTED] said If [ NAS-IP-Address =~ 192.168.48.* ] Calling-Station-Id = Dev else if [ NAS-IP-Address =~ 192.168.49.* ] Calling-station-id = Prod else Calling-station-id = Any fi fi You might try: DEFAULT NAS-IP-Address =~ ^192\.168\.48\. Calling-Station-Id := Dev Fall-Through = 1 DEFAULT NAS-IP-Address =~ ^192\.168\.48\. Calling-Station-Id := Prod Fall-Through = 1 DEFAULT NAS-IP-Address !~ ^(192\.168\.48\.|192\.168\.49\.) Calling-Station-Id := Any Fall-Through = 1 -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Authentication for several devices(severalNas-Ip-Address)
In the USERS file or Pre_Proxy_Users file ? Thanks ! Nicolas. Hugh Messenger wrote: [EMAIL PROTECTED] said If [ NAS-IP-Address =~ 192.168.48.* ] Calling-Station-Id = Dev else if [ NAS-IP-Address =~ 192.168.49.* ] Calling-station-id = Prod else Calling-station-id = Any fi fi You might try: DEFAULT NAS-IP-Address =~ ^192\.168\.48\. Calling-Station-Id := Dev Fall-Through = 1 DEFAULT NAS-IP-Address =~ ^192\.168\.48\. Calling-Station-Id := Prod Fall-Through = 1 DEFAULT NAS-IP-Address !~ ^(192\.168\.48\.|192\.168\.49\.) Calling-Station-Id := Any Fall-Through = 1 -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
