> > Is there another possibility I've overlooked? "Conditional check-items"? >
It's very good idea - "Conditional check-items". I just want to show another real-life example where it can be very helpful feature.
We sale different internet services, including dialup and campus
(ethnernet clients get internet access via VPN server, which talk with RADIUS
to auth them) services, which are RADIUS-authenticated. For avoiding
cross-authentication for this users (for example, dialup user try
his username&password to access to VPN-server - without this check
users will be auth-ed ok, but billing will fail - it use different tarif plans,
even they billed for different kind of accounting data - in dialup its time,
in campus its ip-traffic size) I add next rows to the radgroupcheck:
id | groupname | attribute | value | op
----+------------+-------------------+---------------------------+----
31 | campus | Client-IP-Address | a.a.a.a | ==
32 | scn.ru | Client-IP-Address | b.b.b.b | ==
33 | sibinet.ru | Client-IP-Address | b.b.b.b | ==
rows with id=32,33 is dialup users realms.
Currently, we going to authenticate mail services via RADIUS-server also,
and its problematic - almost all our users have emails in "@scn.ru" domain and
all requests from mail-server will be rejected, because mail-server have
different Client-IP-Address, not 'b.b.b.b'.
Furthermore, for mail-authentication we plan to use Postfix (try telnet mail.freebsd.org 25 :-)
and it will authenticate POP and SMTP services. For SMTP (mail delivering) we need
to check only existence of the user, so User-Password/Crypt-Password attributes
also should be "conditionally" checked!
-- best regards, Ruslan A Dautkhanov [EMAIL PROTECTED]
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
