> I was thinking about checking the interface, but the it appears only when
> NAS-Port-Type=ISDN:
> Vendor-Specific = "V9:T1:L24:interface=Serial0/0:30"
> NAS-Port-Type = ISDN ^^^^^^^
> NAS-Port = 20030
Have you ran FreeRADIUS in debug mode (radiusd -X) and done a capture of all
the attributes the router sends for the various protocols? A dump of that
may be useful
> When someone calls from PSTN it doesnt report any Vendor-Specific, but
> just Async and a port number:
> Cisco-AVPair = "interface=Async92"
> NAS-Port-Type = Async
> NAS-Port = 92
> (Sometimes instead of "NAS-Port = 92" I get "NAS-Port = 1312686172",why?!)
Did you have a look at the link to cisco's web site I sent? Look for 'aaa
nas-port extended'
> Since I dont get the interface (Serialx/y) info every time, the only way
> is to check if the NAS-Port is between a specific range if I get it right.
>
> Something like that perhaps?
> insert into radgroupcheck values('0','group1','NAS-Port','65-94',:=')
> insert into radgroupcheck values('0','group2','NAS-Port','97-128',:=')
> ... .. .. .... ....
> ,'20001-20030' (for ISDN)
> supposing that Serial0/0 has ports 65-94, and Serial1/0 97-128.
>
> I'm not very familiar with sql syntax, so I'd appreciate some help on
> that...
Close, here's an example
INSERT INTO radcheck VALUES (1,'user1','Password',':=','testing123');
INSERT INTO radcheck VALUES
(2,'user2','User-Password',':=','VRs1vR06MAQ2M');
INSERT INTO radgroupcheck VALUES (1,'group1','Auth-Type',':=','Local');
INSERT INTO radgroupcheck VALUES (2,'group2','Auth-Type',':=','PAP');
INSERT INTO radgroupcheck VALUES (3,'group1','NAS-Port','==','65-94');
INSERT INTO radgroupcheck VALUES (4,'group2','NAS-Port','==','97-128');
INSERT INTO usergroup VALUES (1,'user1','group1');
INSERT INTO usergroup VALUES (2,'user2','group2');
the password for 'user2' is stored using the SQL ENCRYPT function, they're
both authenticated against the SQL database.
If you haven't done so already, you may be able to get more information by
enabling the extended NAS-Port attribute.
See also the Cisco doc on RADIUS attributes at for NAS-Port
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csn
t30/user/ad.htm#1173
The easy part is locking users down by groups, the harder part is
determining the best way to lock those groups down by interface. It soly
depends on the information that the router presents via radius.
-------------------------------------------------------------------------------------------------------
This email, and any files transmitted with it, is copyright and may contain
confidential information.
The contents are intended for the use of the addressee(s) only.
Unauthorized use may be unlawful.
If you receive this email by mistake, please advise sender immediately.
The views of the author may not necessarily constitute the views of Telco Electronics
Limited.
Nothing in this mail shall bind Telco Electronics Limited in any contract or
obligation.
Telco Electronics Limited
6-8 Oxford Court
Brackley
Northants
NN13 7XY
Tel 07000 701999
Fax 07000 701777
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
