how to allow login only from specified access point?

Norbert Grochal Sat, 18 Nov 2006 05:22:05 -0800

I have freeradius serwer with PEAP auth. secrets of nasnames and user passwords 
are in mysql.


Is it possible to set freeradius to send Access-Accept only where user try to 
connect to specified access point? I try to check it by sql query modified by 
me.

 sql: authorize_check_query = "SELECT r.id, r.UserName, r.Attribute, r.Value, 
r.op           FROM radcheck r           WHERE r.Username = '%{SQL-User-Name}'  
         and ('%{NAS-IP-Address}' = 'aaaaaaaaaa')"

When sql gets the password from sql where is no desired value of NAS-IP-Address 
attribute, so I don't know how to check it by sql.

Example, this is ONE packet of Access-Request:

rad_recv: Access-Request packet from host 10.10.10.123:2048, id=247, length=261
        User-Name = "Adam Nowak"
        NAS-IP-Address = 10.10.10.123
(...)
rlm_sql (sql): sql_set_user escaped user --> 'Adam Nowak'
radius_xlat:  'SELECT r.id, r.UserName, r.Attribute, r.Value, r.op           
FROM radcheck r           WHERE r.Username = 'Adam Nowak'           and 
('10.10.10.123' = 'aaaaaaaaaa') // YOU CAN SEE NAS-IP-Address here, but Adam 
Nowak is not the eap-peap login...
(...)
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Identity - wlxtbp - // THIS IS THE CORRECT LOGIN...
  rlm_eap_peap: Tunneled data is valid.
  PEAP: Got tunneled identity of wlxtbp
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Setting User-Name to wlxtbp
(...)
rlm_sql (sql): sql_set_user escaped user --> 'wlxtbp'
radius_xlat:  'SELECT r.id, r.UserName, r.Attribute, r.Value, r.op           
FROM radcheck r           WHERE r.Username = 'wlxtbp'           and 
('127.0.0.1' = 'aaaaaaaaaa' ) // YOU SEE 127.0.0.1 instead of desired 
NAS-IP-Address here, so I can't check here from which access point the user try 
to connect

This is the place, where freeradius gets password from mysql and if the 
password is ok we can see:

  rlm_eap_peap: Received EAP-TLV response.
  rlm_eap_peap: Tunneled data is valid.
  rlm_eap_peap: Success

My question is as I have written: 
Is it possible to set freeradius to send Access-Accept only where user try to 
connect to specified access point?
And how to do it ? :-).

Norboro

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

how to allow login only from specified access point?

Reply via email to