2

I have FreeRADIUS installed on my server, and also have two LANs (or may be more) managed by this server. Let's say LAN A:192.168.1.0, and LAN B: 192.168.2.0. I'm using FreeRADIUS in combination with postgres database. In my radcheck table I have inserted the following row:

userbane='myuser', attribute='Password', op=':=', value='mypass'.

Now I want to let the clients that will request services from my FreeRADIUS to be able to authenticate themselves with this username and password only if they are part of LAN B.

Question: Can anyone suggest me how to get this done?

I tried to put in the radcheck one row more: username='myuser', attribute='NAS-IP-Address', op=':=', value='192.168.2.1', but without success.

Any help would be appreciated.

artaxerxe
  • 521
  • 2
  • 10
  • 22

2 Answers2

3

I haven't used a database backend before, but using the users file the rule would look something like this:

myuser  Cleartext-Password := "mypass", NAS-IP-Address == "192.168.2.1"

Based on that, I think you need two entries in the radcheck table:

usernane='myuser', attribute='Password', op=':=', value='mypass'
username='myuser', attribute='NAS-IP-Address', op='==', value='192.168.2.1'
mgorven
  • 30,036
  • 7
  • 76
  • 121
1

Using an SQL database, I solved this by :

1) Adding a special row (site_id)

ALTER TABLE radcheck ADD site_id VARCHAR(30) NOT NULL default '0.0.0.0' AFTER value;

2) Modifying /etc/freeradius/sql/mysql/dialup.conf as follow 

authorize_check_query = "SELECT id, username, attribute, value, op, site_id, valid_from, valid_until \
  FROM ${authcheck_table} \
  WHERE username = '%{SQL-User-Name}' AND site_id='%{NAS-Identifier}' \
  ORDER BY id"

In my case I used the NAS-Id, but replacing %{NAS-Identifier} by %{NAS-IP-Address} and optionally site_id by site_ip will do the trick with an IP address

vinch100
  • 11
  • 1