Re: Logging from another PC
1. Switch has to support dynamic VLAN assignment by radius. Then you pass Tunnel set of attributes (type, medium and id) to it and place a user in a desired VLAN. If you can only configure VLANs manually, than this is not going to work. 2. How does someone change his IP address to a different subnet and VLAN connection through the switch still works??? That should not be possible. Your VLAN configuration is suspect. If someone is placed on a VLAN with a private address and then changes the address to a public one (trying to get onto Internet, for instance) - he should not be able to connect to anything because he is on one subnet and gateway on another. Same applies if all addresses are private but you are doing NAT for one (subnet) and not for another etc. Ivan Kalik Kalik Informatika ISP Dana 31/1/2008, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> piše: >Hmm. That sounds great. I have Port-based VLANs on the switches but still >no affects. Am I using wrong type VLANs? Port-based authentication, could >you explain some? >Thanks. > > > >> Yes. Use VLANs and port based authentication and they won't be able to >> do that. If they manually change IP address to a different VLAN >> connection will become unusable. >> >> Ivan Kalik >> Kaliki Informatika ISP >> >> Dana 29/1/2008, "[EMAIL PROTECTED]" >> <[EMAIL PROTECTED]> piše: >> >>>Hi, >>> >>>I have a question. >>>When the user logs using own username and password into Radius server >>> (ie, >>>using 192.168.160.5), it is OK. When someone change IP address statically >>>into logged IP (to 192.168.160.5), he can use the logged account. I mean >>>he can use another one's account. How can I block another PC? And I don't >>>want the user logs often in one day. User must logs once in a day. That's >>>why I don't want to put Idle-Timeout attribute. >>> >>> >>>I'm using FreeRadius 2.0.1 with Cisco'BBSM 5.3. Could you give some >>>clarfication for this? >>> >>>Thanks >>> >>> >>>- >>>List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html >>> >>> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging from another PC
Hmm. That sounds great. I have Port-based VLANs on the switches but still no affects. Am I using wrong type VLANs? Port-based authentication, could you explain some? Thanks. > Yes. Use VLANs and port based authentication and they won't be able to > do that. If they manually change IP address to a different VLAN > connection will become unusable. > > Ivan Kalik > Kaliki Informatika ISP > > Dana 29/1/2008, "[EMAIL PROTECTED]" > <[EMAIL PROTECTED]> pi¹e: > >>Hi, >> >>I have a question. >>When the user logs using own username and password into Radius server >> (ie, >>using 192.168.160.5), it is OK. When someone change IP address statically >>into logged IP (to 192.168.160.5), he can use the logged account. I mean >>he can use another one's account. How can I block another PC? And I don't >>want the user logs often in one day. User must logs once in a day. That's >>why I don't want to put Idle-Timeout attribute. >> >> >>I'm using FreeRadius 2.0.1 with Cisco'BBSM 5.3. Could you give some >>clarfication for this? >> >>Thanks >> >> >>- >>List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging from another PC
Yes. Use VLANs and port based authentication and they won't be able to do that. If they manually change IP address to a different VLAN connection will become unusable. Ivan Kalik Kaliki Informatika ISP Dana 29/1/2008, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> piše: >Hi, > >I have a question. >When the user logs using own username and password into Radius server (ie, >using 192.168.160.5), it is OK. When someone change IP address statically >into logged IP (to 192.168.160.5), he can use the logged account. I mean >he can use another one's account. How can I block another PC? And I don't >want the user logs often in one day. User must logs once in a day. That's >why I don't want to put Idle-Timeout attribute. > > >I'm using FreeRadius 2.0.1 with Cisco'BBSM 5.3. Could you give some >clarfication for this? > >Thanks > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging from another PC
Hey, On Jan 29, 2008 9:45 AM, <[EMAIL PROTECTED]> wrote: > Hi, > > I have a question. > When the user logs using own username and password into Radius server (ie, > using 192.168.160.5), it is OK. When someone change IP address statically > into logged IP (to 192.168.160.5), he can use the logged account. I mean > he can use another one's account. This is something that the NAS controls. FreeRADIUS only receives authentication requests upon which it can Accept or Reject the user. You might also want to look at the Simultaneous-Use attribute. > How can I block another PC? And I don't > want the user logs often in one day. You can set a check attribute for the Calling-Station-Id MAC Address and so the user will be granted access only if he logs in from a specific machine. > User must logs once in a day. That's > why I don't want to put Idle-Timeout attribute. > > Explain better please. Regards, Liran Tal. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging from another PC
Hi, I have a question. When the user logs using own username and password into Radius server (ie, using 192.168.160.5), it is OK. When someone change IP address statically into logged IP (to 192.168.160.5), he can use the logged account. I mean he can use another one's account. How can I block another PC? And I don't want the user logs often in one day. User must logs once in a day. That's why I don't want to put Idle-Timeout attribute. I'm using FreeRadius 2.0.1 with Cisco'BBSM 5.3. Could you give some clarfication for this? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html