Pete, On Sat, May 25, 2013 at 02:31:12PM -0600, Pete Ashdown wrote: > I'm trying to restrict a guest user from a single NAS-IP-Address via "users" > and I can't get it to work. > > Doesn't work: > > test NAS-IP-Address == "127.0.0.1" > Auth-Type := Accept
Try: test NAS-IP-Address == "127.0.0.1", Auth-Type := Accept The first line is matches against the incoming request packets, and setting things in the control list. The subsequent lines are entries for the reply packet. Auth-Type is a control item. This is documented in the users file - read it carefully and look at the examples, such as "deny access for a group of users". But for restricting users, I doubt you want "Accept"! :) > Also, how would I do this for a group of NAS IP addresses? Is it possible to > assign them to a group in "clients.conf" that can be later checked against in > "users"? Where is the documentation of what can be tested against in the > "users" file? Add entries in the huntgroups file: blockednaslist NAS-IP-Address == 127.0.0.1 blockednaslist NAS-IP-Address == 127.0.1.1 then use something like this in users: testuser Huntgroup-Name == "blockednaslist", Auth-Type := Reject Don't forget that NAS-IP-Address can be spoofed if you permit NASes not under your own control. Matthew -- Matthew Newton, Ph.D. <[email protected]> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <[email protected]> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
