All,
I have VPN users who connect to a Cisco ASA firewall, which authenticates
using radius off of Freeradius. I would like to enforce which IP addresses
users may connect from. Am I correct to assume the Radius server is the
best place to perform this?
If so, what is the best way to go about doing this? Since our users.conf is
programitcally generated, hopefully the changing part of the configuration
can be isolated to this file? Below is an example login from the
free-radius server. I want to filter on "Calling-Station-Id", to enforce a
specified source IP which may vary by user.
Thanks!
rad_recv: Access-Request packet from host 3.3.3.3:1025, id=177, length=157
User-Name = "john"
User-Password = "xxxx"
NAS-Port = xxxx
Service-Type = Framed-User
Framed-Protocol = PPP
Called-Station-Id = "1.1.1.1"
Calling-Station-Id = "2.2.2.2"
NAS-Port-Type = Virtual
Tunnel-Client-Endpoint:0 = "4.4.4.4"
NAS-IP-Address = 3.3.3.3
Cisco-AVPair = "ip:source-ip=2.2.2.2N\233"
Processing the authorize section of radiusd.conf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
