Re: Different Authentication for several devices (severalNas-Ip-Address)
OK. If you devices put their IP addresses in Called-Station-Id field there is no need to do rewrites. You can use regexp operators to controll access as Called-Station-Id attribute is a string. NAS1 NAS-IP-Address == proxyIP, Called-Station-Id =~ ^192.168.48. Dev group(s) in reply NAS2 NAS-IP-Address == proxyIP, Called-Station-Id =~ ^192.168.49. Prod group(s) in reply Ivan Kalik Kalik Informatika ISP You can leave this out proxy IP check if all traffic comes over the proxy. You might need to escape periods in regexp. Dana 23/7/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: Re-Hello ;-) I search how i can do this but i don't find... I want to do this : If NAS-IP-Address == 192.168.48.0/24 -- Rewrite Calling-station-id to Dev else If NAS-IP-Address == 192.168.48.0/24 -- Rewrite Calling-station-id to Prod else Do nothing. fi fi I don't know how check the NAS-IP-ADDRESS attribute and rewrite an other attribute (Calling-Station-ID).. Thank you for your help !! NicolaS. Selon [EMAIL PROTECTED]: Hello, Thank you for your help but I don't understand how you can make it. Here my configuration that I try: #Replae The Nas-Ip6address by Proxy-IP attr_rewrite overwrite_nasip { attribute = NAS-IP-Address searchfor = .* packet= packet replacewith = 10.28.65.130 max_matches = 1 } # Dev Eqpt : 192.168.48.0/24 attr_rewrite dev_equipment { attribute = Calling-Station-Id searchfor = .* packet= packet replacewith = Dev -- Replace String Dev for all Eqpts but not for 192.168.48.0/24!! max_matches = 1 } preproxy { files overwrite_nasip dev_equipment } Here what I want : 1. If [ NAS-IP-Address =~ 192.168.48.* ] Calling-Station-Id = Dev else if [ NAS-IP-Address =~ 192.168.49.* ] Calling-station-id = Prod else Calling-station-id = Any fi fi 2. the proxy forwards the access-request to the radius server 3. The radius server receives the acces-request If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id == Dev ] instance_openldap-Ldap-Group == CiscoDev else If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id = Prod ] instance_openldap-Ldap-Group == CiscoProd else instance_openldap-Ldap-Group == CiscoOthers fi fi Thank you for your assistance Nicolas. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Authentication for several devices (severalNas-Ip-Address)
Called-Station-Id isn't equal to Nas-Ip-Address, it equal to the PC where I initiate telnet Connection. It's not equal to my Nas-Ip :( So, i would change the called-station-id to Nas-Ip-Adress and Nas-Ip-Address to proxy address. Any idea ? Selon [EMAIL PROTECTED]: OK. If you devices put their IP addresses in Called-Station-Id field there is no need to do rewrites. You can use regexp operators to controll access as Called-Station-Id attribute is a string. NAS1 NAS-IP-Address == proxyIP, Called-Station-Id =~ ^192.168.48. Dev group(s) in reply NAS2 NAS-IP-Address == proxyIP, Called-Station-Id =~ ^192.168.49. Prod group(s) in reply Ivan Kalik Kalik Informatika ISP You can leave this out proxy IP check if all traffic comes over the proxy. You might need to escape periods in regexp. Dana 23/7/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] pi¹e: Re-Hello ;-) I search how i can do this but i don't find... I want to do this : If NAS-IP-Address == 192.168.48.0/24 -- Rewrite Calling-station-id to Dev else If NAS-IP-Address == 192.168.48.0/24 -- Rewrite Calling-station-id to Prod else Do nothing. fi fi I don't know how check the NAS-IP-ADDRESS attribute and rewrite an other attribute (Calling-Station-ID).. Thank you for your help !! NicolaS. Selon [EMAIL PROTECTED]: Hello, Thank you for your help but I don't understand how you can make it. Here my configuration that I try: #Replae The Nas-Ip6address by Proxy-IP attr_rewrite overwrite_nasip { attribute = NAS-IP-Address searchfor = .* packet= packet replacewith = 10.28.65.130 max_matches = 1 } # Dev Eqpt : 192.168.48.0/24 attr_rewrite dev_equipment { attribute = Calling-Station-Id searchfor = .* packet= packet replacewith = Dev -- Replace String Dev for all Eqpts but not for 192.168.48.0/24!! max_matches = 1 } preproxy { files overwrite_nasip dev_equipment } Here what I want : 1. If [ NAS-IP-Address =~ 192.168.48.* ] Calling-Station-Id = Dev else if [ NAS-IP-Address =~ 192.168.49.* ] Calling-station-id = Prod else Calling-station-id = Any fi fi 2. the proxy forwards the access-request to the radius server 3. The radius server receives the acces-request If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id == Dev ] instance_openldap-Ldap-Group == CiscoDev else If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id = Prod ] instance_openldap-Ldap-Group == CiscoProd else instance_openldap-Ldap-Group == CiscoOthers fi fi Thank you for your assistance Nicolas. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Authentication for several devices (severalNas-Ip-Address)
Moreover, i use a proxy because in the huntgroup file, i can't use a CIDR network just a Host IP. Selon [EMAIL PROTECTED]: OK. If you devices put their IP addresses in Called-Station-Id field there is no need to do rewrites. You can use regexp operators to controll access as Called-Station-Id attribute is a string. NAS1 NAS-IP-Address == proxyIP, Called-Station-Id =~ ^192.168.48. Dev group(s) in reply NAS2 NAS-IP-Address == proxyIP, Called-Station-Id =~ ^192.168.49. Prod group(s) in reply Ivan Kalik Kalik Informatika ISP You can leave this out proxy IP check if all traffic comes over the proxy. You might need to escape periods in regexp. Dana 23/7/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] pi¹e: Re-Hello ;-) I search how i can do this but i don't find... I want to do this : If NAS-IP-Address == 192.168.48.0/24 -- Rewrite Calling-station-id to Dev else If NAS-IP-Address == 192.168.48.0/24 -- Rewrite Calling-station-id to Prod else Do nothing. fi fi I don't know how check the NAS-IP-ADDRESS attribute and rewrite an other attribute (Calling-Station-ID).. Thank you for your help !! NicolaS. Selon [EMAIL PROTECTED]: Hello, Thank you for your help but I don't understand how you can make it. Here my configuration that I try: #Replae The Nas-Ip6address by Proxy-IP attr_rewrite overwrite_nasip { attribute = NAS-IP-Address searchfor = .* packet= packet replacewith = 10.28.65.130 max_matches = 1 } # Dev Eqpt : 192.168.48.0/24 attr_rewrite dev_equipment { attribute = Calling-Station-Id searchfor = .* packet= packet replacewith = Dev -- Replace String Dev for all Eqpts but not for 192.168.48.0/24!! max_matches = 1 } preproxy { files overwrite_nasip dev_equipment } Here what I want : 1. If [ NAS-IP-Address =~ 192.168.48.* ] Calling-Station-Id = Dev else if [ NAS-IP-Address =~ 192.168.49.* ] Calling-station-id = Prod else Calling-station-id = Any fi fi 2. the proxy forwards the access-request to the radius server 3. The radius server receives the acces-request If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id == Dev ] instance_openldap-Ldap-Group == CiscoDev else If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id = Prod ] instance_openldap-Ldap-Group == CiscoProd else instance_openldap-Ldap-Group == CiscoOthers fi fi Thank you for your assistance Nicolas. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different Authentication for several devices(severalNas-Ip-Address)
[EMAIL PROTECTED] said If [ NAS-IP-Address =~ 192.168.48.* ] Calling-Station-Id = Dev else if [ NAS-IP-Address =~ 192.168.49.* ] Calling-station-id = Prod else Calling-station-id = Any fi fi You might try: DEFAULT NAS-IP-Address =~ ^192\.168\.48\. Calling-Station-Id := Dev Fall-Through = 1 DEFAULT NAS-IP-Address =~ ^192\.168\.48\. Calling-Station-Id := Prod Fall-Through = 1 DEFAULT NAS-IP-Address !~ ^(192\.168\.48\.|192\.168\.49\.) Calling-Station-Id := Any Fall-Through = 1 -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Authentication for several devices(severalNas-Ip-Address)
In the USERS file or Pre_Proxy_Users file ? Thanks ! Nicolas. Hugh Messenger wrote: [EMAIL PROTECTED] said If [ NAS-IP-Address =~ 192.168.48.* ] Calling-Station-Id = Dev else if [ NAS-IP-Address =~ 192.168.49.* ] Calling-station-id = Prod else Calling-station-id = Any fi fi You might try: DEFAULT NAS-IP-Address =~ ^192\.168\.48\. Calling-Station-Id := Dev Fall-Through = 1 DEFAULT NAS-IP-Address =~ ^192\.168\.48\. Calling-Station-Id := Prod Fall-Through = 1 DEFAULT NAS-IP-Address !~ ^(192\.168\.48\.|192\.168\.49\.) Calling-Station-Id := Any Fall-Through = 1 -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html