Re: Different Authentication for several devices(severalNas-Ip-Address)
In the USERS file or Pre_Proxy_Users file ? Thanks ! Nicolas. Hugh Messenger wrote: > [EMAIL PROTECTED] said > >> If [ NAS-IP-Address =~ 192.168.48.* ] >> Calling-Station-Id = Dev >> else >>if [ NAS-IP-Address =~ 192.168.49.* ] >>Calling-station-id = Prod >>else >>Calling-station-id = Any >>fi >> fi >> > > You might try: > > DEFAULT NAS-IP-Address =~ "^192\.168\.48\." > Calling-Station-Id := Dev > Fall-Through = 1 > > DEFAULT NAS-IP-Address =~ "^192\.168\.48\." > Calling-Station-Id := Prod > Fall-Through = 1 > > DEFAULT NAS-IP-Address !~ "^(192\.168\.48\.|192\.168\.49\.)" > Calling-Station-Id := Any > Fall-Through = 1 > >-- hugh > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different Authentication for several devices(severalNas-Ip-Address)
[EMAIL PROTECTED] said > If [ NAS-IP-Address =~ 192.168.48.* ] > Calling-Station-Id = Dev > else >if [ NAS-IP-Address =~ 192.168.49.* ] >Calling-station-id = Prod >else >Calling-station-id = Any >fi > fi You might try: DEFAULT NAS-IP-Address =~ "^192\.168\.48\." Calling-Station-Id := Dev Fall-Through = 1 DEFAULT NAS-IP-Address =~ "^192\.168\.48\." Calling-Station-Id := Prod Fall-Through = 1 DEFAULT NAS-IP-Address !~ "^(192\.168\.48\.|192\.168\.49\.)" Calling-Station-Id := Any Fall-Through = 1 -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Authentication for several devices (severalNas-Ip-Address)
Moreover, i use a proxy because in the huntgroup file, i can't use a CIDR network just a Host IP. Selon [EMAIL PROTECTED]: > OK. If you devices put their IP addresses in Called-Station-Id field > there is no need to do rewrites. You can use regexp operators to > controll access as Called-Station-Id attribute is a string. > > NAS1 NAS-IP-Address == proxyIP, Called-Station-Id =~ "^192.168.48." >Dev group(s) in reply > > NAS2 NAS-IP-Address == proxyIP, Called-Station-Id =~ "^192.168.49." >Prod group(s) in reply > > Ivan Kalik > Kalik Informatika ISP > > > You can leave this out proxy IP check if all traffic comes over the > proxy. You might need to escape periods in regexp. > > Dana 23/7/2007, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> pi¹e: > > >Re-Hello ;-) > > > >I search how i can do this but i don't find... > > > >I want to do this : > > > >If NAS-IP-Address == 192.168.48.0/24 --> Rewrite Calling-station-id to "Dev" > >else > > If NAS-IP-Address == 192.168.48.0/24 --> Rewrite Calling-station-id to > "Prod" > > else > >Do nothing. > > fi > >fi > > > >I don't know how check the NAS-IP-ADDRESS attribute and rewrite an other > >attribute (Calling-Station-ID).. > > > >Thank you for your help !! > > > >NicolaS. > > > >Selon [EMAIL PROTECTED]: > > > >> Hello, > >> > >> Thank you for your help but I don't understand how you can make it. > >> > >> Here my configuration that I try: > >> > >> #Replae The Nas-Ip6address by Proxy-IP > >> attr_rewrite overwrite_nasip { > >> attribute = "NAS-IP-Address" > >> searchfor = ".*" > >> packet= packet > >> replacewith = "10.28.65.130" > >> max_matches = 1 > >> } > >> > >> # Dev Eqpt : 192.168.48.0/24 > >> attr_rewrite dev_equipment { > >> attribute = "Calling-Station-Id" > >> searchfor = ".*" > >> packet= packet > >> replacewith = "Dev" --> Replace String Dev for all Eqpts but not > for > >> 192.168.48.0/24!! > >> max_matches = 1 > >> } > >> > >> preproxy { > >> files > >> overwrite_nasip > >> dev_equipment > >> } > >> > >> Here what I want : > >> > >> 1. > >> > >> If [ NAS-IP-Address =~ 192.168.48.* ] > >> Calling-Station-Id = Dev > >> else > >>if [ NAS-IP-Address =~ 192.168.49.* ] > >>Calling-station-id = Prod > >>else > >>Calling-station-id = Any > >>fi > >> fi > >> > >> 2. > >> the proxy forwards the access-request to the radius server > >> > >> 3. > >> The radius server receives the acces-request > >>If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id == Dev ] > >> instance_openldap-Ldap-Group == CiscoDev > >>else > >> If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id = Prod ] > >> instance_openldap-Ldap-Group == CiscoProd > >> else > >> instance_openldap-Ldap-Group == CiscoOthers > >> fi > >>fi > >> > >> Thank you for your assistance > >> > >> Nicolas. > >> > >> > >> > >> > >> > >> > >> - > >> List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > >> > > > > > >- > >List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Authentication for several devices (severalNas-Ip-Address)
Called-Station-Id isn't equal to Nas-Ip-Address, it equal to the PC where I initiate telnet Connection. It's not equal to my Nas-Ip :( So, i would change the called-station-id to Nas-Ip-Adress and Nas-Ip-Address to proxy address. Any idea ? Selon [EMAIL PROTECTED]: > OK. If you devices put their IP addresses in Called-Station-Id field > there is no need to do rewrites. You can use regexp operators to > controll access as Called-Station-Id attribute is a string. > > NAS1 NAS-IP-Address == proxyIP, Called-Station-Id =~ "^192.168.48." >Dev group(s) in reply > > NAS2 NAS-IP-Address == proxyIP, Called-Station-Id =~ "^192.168.49." >Prod group(s) in reply > > Ivan Kalik > Kalik Informatika ISP > > > You can leave this out proxy IP check if all traffic comes over the > proxy. You might need to escape periods in regexp. > > Dana 23/7/2007, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> pi¹e: > > >Re-Hello ;-) > > > >I search how i can do this but i don't find... > > > >I want to do this : > > > >If NAS-IP-Address == 192.168.48.0/24 --> Rewrite Calling-station-id to "Dev" > >else > > If NAS-IP-Address == 192.168.48.0/24 --> Rewrite Calling-station-id to > "Prod" > > else > >Do nothing. > > fi > >fi > > > >I don't know how check the NAS-IP-ADDRESS attribute and rewrite an other > >attribute (Calling-Station-ID).. > > > >Thank you for your help !! > > > >NicolaS. > > > >Selon [EMAIL PROTECTED]: > > > >> Hello, > >> > >> Thank you for your help but I don't understand how you can make it. > >> > >> Here my configuration that I try: > >> > >> #Replae The Nas-Ip6address by Proxy-IP > >> attr_rewrite overwrite_nasip { > >> attribute = "NAS-IP-Address" > >> searchfor = ".*" > >> packet= packet > >> replacewith = "10.28.65.130" > >> max_matches = 1 > >> } > >> > >> # Dev Eqpt : 192.168.48.0/24 > >> attr_rewrite dev_equipment { > >> attribute = "Calling-Station-Id" > >> searchfor = ".*" > >> packet= packet > >> replacewith = "Dev" --> Replace String Dev for all Eqpts but not > for > >> 192.168.48.0/24!! > >> max_matches = 1 > >> } > >> > >> preproxy { > >> files > >> overwrite_nasip > >> dev_equipment > >> } > >> > >> Here what I want : > >> > >> 1. > >> > >> If [ NAS-IP-Address =~ 192.168.48.* ] > >> Calling-Station-Id = Dev > >> else > >>if [ NAS-IP-Address =~ 192.168.49.* ] > >>Calling-station-id = Prod > >>else > >>Calling-station-id = Any > >>fi > >> fi > >> > >> 2. > >> the proxy forwards the access-request to the radius server > >> > >> 3. > >> The radius server receives the acces-request > >>If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id == Dev ] > >> instance_openldap-Ldap-Group == CiscoDev > >>else > >> If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id = Prod ] > >> instance_openldap-Ldap-Group == CiscoProd > >> else > >> instance_openldap-Ldap-Group == CiscoOthers > >> fi > >>fi > >> > >> Thank you for your assistance > >> > >> Nicolas. > >> > >> > >> > >> > >> > >> > >> - > >> List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > >> > > > > > >- > >List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Authentication for several devices (severalNas-Ip-Address)
OK. If you devices put their IP addresses in Called-Station-Id field there is no need to do rewrites. You can use regexp operators to controll access as Called-Station-Id attribute is a string. NAS1 NAS-IP-Address == proxyIP, Called-Station-Id =~ "^192.168.48." Dev group(s) in reply NAS2 NAS-IP-Address == proxyIP, Called-Station-Id =~ "^192.168.49." Prod group(s) in reply Ivan Kalik Kalik Informatika ISP You can leave this out proxy IP check if all traffic comes over the proxy. You might need to escape periods in regexp. Dana 23/7/2007, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> piše: >Re-Hello ;-) > >I search how i can do this but i don't find... > >I want to do this : > >If NAS-IP-Address == 192.168.48.0/24 --> Rewrite Calling-station-id to "Dev" >else > If NAS-IP-Address == 192.168.48.0/24 --> Rewrite Calling-station-id to "Prod" > else >Do nothing. > fi >fi > >I don't know how check the NAS-IP-ADDRESS attribute and rewrite an other >attribute (Calling-Station-ID).. > >Thank you for your help !! > >NicolaS. > >Selon [EMAIL PROTECTED]: > >> Hello, >> >> Thank you for your help but I don't understand how you can make it. >> >> Here my configuration that I try: >> >> #Replae The Nas-Ip6address by Proxy-IP >> attr_rewrite overwrite_nasip { >> attribute = "NAS-IP-Address" >> searchfor = ".*" >> packet= packet >> replacewith = "10.28.65.130" >> max_matches = 1 >> } >> >> # Dev Eqpt : 192.168.48.0/24 >> attr_rewrite dev_equipment { >> attribute = "Calling-Station-Id" >> searchfor = ".*" >> packet= packet >> replacewith = "Dev" --> Replace String Dev for all Eqpts but not for >> 192.168.48.0/24!! >> max_matches = 1 >> } >> >> preproxy { >> files >> overwrite_nasip >> dev_equipment >> } >> >> Here what I want : >> >> 1. >> >> If [ NAS-IP-Address =~ 192.168.48.* ] >> Calling-Station-Id = Dev >> else >>if [ NAS-IP-Address =~ 192.168.49.* ] >>Calling-station-id = Prod >>else >>Calling-station-id = Any >>fi >> fi >> >> 2. >> the proxy forwards the access-request to the radius server >> >> 3. >> The radius server receives the acces-request >>If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id == Dev ] >> instance_openldap-Ldap-Group == CiscoDev >>else >> If [ Nas-IP-Address == Proxy-IP and Calling-Station-Id = Prod ] >> instance_openldap-Ldap-Group == CiscoProd >> else >> instance_openldap-Ldap-Group == CiscoOthers >> fi >>fi >> >> Thank you for your assistance >> >> Nicolas. >> >> >> >> >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html