[EMAIL PROTECTED] wrote:
Could I also do:
bob password = "neil", Calling-Station-Id != "0001....", Auth-Type :=
Reject
So that both pieces of information have to be present to be authenticated?
No, that would always reject the user. You could do this:
bob Calling-Station-Id != "0001....", Auth-Type := Reject
bob User-Password := "neil"
Well thats too easy. :)
Can you instead use rlm_checkval like this:
modules {
passwd user2allowedmacs {
filename = /etc/raddb/user2allowedmacs
format = "*User-Name:Calling-Station-Id"
hashsize = 100
allowmultiplekeys = yes
}
checkval usermacs {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
notfound-reject = yes
}
}
Which file would the above be placed in and does it need to be placed in a
certain area of the file or can it just be added to the bottom of the file? And
It's a partial fragment of radiusd.conf - you would need to inspect how
the radiusd.conf hierarchial config works, and put the two module
definitions in along with anything else you need
when I see 'rlm_' I think realm which makes me think ldap or kerberos, neither
of which I am using, will this be a problem?
rlm == radius loadable module, nothing to do with realms (although there
is an rlm_realm for dealing with realms!)
authorize {
preprocess
user2allowedmacs
usermacs
# other stuff
}
So whatever I name my module I will have to add to the authorize stanza in the
radius.conf file, correct?
Yep
/etc/raddb/user2allowedmacs:
user1:001122334455
user1:aabbccddeeff
user2:0123456789ab
...I think that ought to work?
Thanks for the info, this is gold!
Jon
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
