Alan,
Could you perhaps give me a hint about how one would go about allowing any
user from any system (_unless_ that system is listed for the specific purpose
of not allowing anyone to authenticate from it) to authenticate?
----- Original Message ----
From: Alan DeKok <[EMAIL PROTECTED]>
To: FreeRadius users mailing list <[email protected]>
Sent: Thursday, December 21, 2006 11:47:47 AM
Subject: Re: Questions from a totally ignorant n00b
Gene Mosley wrote:
> Users are authenticating from systems that they should not be
> authenticating from - we need to block authentication on a per system
> (IP address) basis, not a per user basis.
You can do this in FreeRADIUS. Put users into different groups, and
block the group from accessing particular systems.
> Users should be allowed to authenticate from any system that they are
> using _except_ a certain, specific list of IP addresses which would
> basically be banned/blocked from authenticating.
This can be done, too.
> Is this something that FreeRADIUS can do?
Yes.
> I just started reading about it - and if nothing else it looks like
> exec-program-wait might be used to test the IP address and return an
> authentication failure?
That will work, too, but will be less efficient.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
