Re: Selecting authentication based on NAS-IP-Address or Client IP Address
by the home server. You'll need to set the reply in post-auth. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/Selecting-authentication-based-on-NAS-IP-Address-or-Client-IP-Address-tp5720259p5720262.html To unsubscribe from FreeRADIUS, click here. NAML - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Selecting authentication based on NAS-IP-Address or Client IP Address
Jeremiah Peterson wrote: Thanks Alan. I have been researching what you said and have seen from debug that the code you gave me seems to be accepted by the server when it is processed. I put the code in the authorize section of the /etc/freeradius/sites-enabled/default. I get: Well... it helps to read the debug output and think about what you've configured. I'll also note that the debug output shows you've made a *lot* of changes to the default configuration. So... it helps to understand the changes, before you make them. i.e. if you're not going to bother reading the debug output and thinking about it, I'm not going to bother doing that, either. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Selecting authentication based on NAS-IP-Address or Client IP Address
Well then I obviously have missed something in the debug output which should have been completely obvious but has not to this point been. I do appreciate your time and willingness to help. I have made a lot of changes to the default configuration because I am deploying a highly customized solution. I will go over the debug output again and see if I can figure out what I am missing and turn on a higher level of debugging. I was not trying to get a quick and easy solution without reading the debug output and I apologize if I came across that way. Thank you for the reply. Sent from my iPhone On May 21, 2013, at 5:06 PM, Alan DeKok-2 [via FreeRADIUS] ml-node+s1045715n5720330...@n5.nabble.com wrote: Jeremiah Peterson wrote: Thanks Alan. I have been researching what you said and have seen from debug that the code you gave me seems to be accepted by the server when it is processed. I put the code in the authorize section of the /etc/freeradius/sites-enabled/default. I get: Well... it helps to read the debug output and think about what you've configured. I'll also note that the debug output shows you've made a *lot* of changes to the default configuration. So... it helps to understand the changes, before you make them. i.e. if you're not going to bother reading the debug output and thinking about it, I'm not going to bother doing that, either. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/Selecting-authentication-based-on-NAS-IP-Address-or-Client-IP-Address-tp5720259p5720330.html To unsubscribe from FreeRADIUS, click herehttp://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_codenode=2740692code=Z2FtZXJqQGdtYWlsLmNvbXwyNzQwNjkyfC0xMjA3NTI4NDQ3 . NAMLhttp://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewerid=instant_html%21nabble%3Aemail.namlbase=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespacebreadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Selecting authentication based on NAS-IP-Address or Client IP Address
Jeremiah Peterson wrote:
I see that it is possible to create realms and have each realm use a
different proxy, but what I am more interested in is having the
authentication method be selected based on client.
For example:
If the request comes from IP 10.10.10.10 and user bob then use
home_server_pool xxx (and return attribute blah blah blah)
If the request comes from IP 10.20.20.20 and user bob then use
home_server_pool yyy (and return attribute yadda yadda yadda)
If the request comes from IP 10.30.30.30 and user bob then use
home_server_pool zzz (and return results from SQL query x)
Most of this can be done via unlang. It has if/then/else checks,
just like you wrote above. You can even update the control items to
have Home-Server-Pool := xxx.
I can see how this is done when making the user enter a realm name or prefix
or suffix to the username, but I don't want to do that for every
authentication. I want the authentication method to be selected based on the
client.
You can select the *source* for authentication credentials. You can't
select the authentication *method*. The client selects that. (PAP,
CHAP, etc.)
I have been searching for details on all the configuration files but I am not
finding anything very conclusive or explanatory on how to build custom sites.
It's pretty simple:
if ((Packet-Src-IP-Address == 10.10.10.10) (User-Name == bob)) {
update control {
Home-Server-Pool := xxx
}
}
You can't edit the reply here, because it's set by the home server.
You'll need to set the reply in post-auth.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Selecting authentication based on NAS-IP-Address or Client IP Address
I see that it is possible to create realms and have each realm use a different proxy, but what I am more interested in is having the authentication method be selected based on client. For example: If the request comes from IP 10.10.10.10 and user bob then use home_server_pool xxx (and return attribute blah blah blah) If the request comes from IP 10.20.20.20 and user bob then use home_server_pool yyy (and return attribute yadda yadda yadda) If the request comes from IP 10.30.30.30 and user bob then use home_server_pool zzz (and return results from SQL query x) I can see how this is done when making the user enter a realm name or prefix or suffix to the username, but I don't want to do that for every authentication. I want the authentication method to be selected based on the client. I have been searching for details on all the configuration files but I am not finding anything very conclusive or explanatory on how to build custom sites. Any help would be appreciated. Thanks for your help. JerLasVegas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
