This puts it into the access-request and the radius server sees it
rad_recv: Access-Request packet from host 127.0.0.1:32770, id=106,
length=79
User-Name = "joe"
User-Password = "testing"
incoming-req-uri = "http://www.blibble.net/path_to";
Processing the authorize section of radiusd.conf
Now, I can extend the radcheck table to include the URL and add
that into the sql query as defined in mysql.conf, but how do I get
freeradius to authenticate on the triple?
This is simple to implement in the users file (files module) and should
be easy as well in the mysql backend (though I don't have experience on
this one).
You'll have to define specific rules that check both authentication and
your attribute for your Cisco 'web device'. I propose to define a
Huntgroup for your cisco web devices and then you can add rules like
these ones:
DEFAULT Huntgroup-Name == My-Cisco, incoming-req-uri !=
"http://www.blibble.net/path_to";, Auth-Type := Reject
Fall-Through = no
DEFAULT Huntgroup-Name == My-Cisco, incoming-req-uri ==
"http://www.blibble.net/path_to";
Fall-Through = no
In order to implement these rules directly in mysql see the doc/rlm_sql file.
If this does not work, stop the radius server and then run it in debug mode:
/etc/init.d/radiusd stop
radiusd -X
...
Then run your Radius authentication request and send the debug log to
the list.
HTH,
Thibault
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
