On Tue, 14 Dec 2004, Paul Dlug wrote:
Excuse me if this is a simple question but I'm relatively new to RADIUS. I'm running FreeRADIUS 1.0.0 with LDAP authentication to provide AAA for our wireless network and cisco dial in server. I would like to restrict access by the device so that users are required to be in a certain group before they're allowed access to the dial in server but any valid LDAP username/password would work for the wireless network.
Ideally the RADIUS server could just use an LDAP group for this, such as requiring users authenticating from 192.168.5.5 to be a member of the group "cn=dialinusers,ou=radiusgroups". If there's some way to specify this in the users file or other RADIUS config file that would be less ideal but equally effective.
DEFAULT NAS-IP-Address == "192.168.5.5", Group != "cn=dialinusers,ou=radiusgroups", Auth-Type := Reject
should work. See doc/rlm_ldap on how to configure group membership checks.
If this hasn't been done, is there any interest in collaborating on a patch?
Thanks, Paul
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
