It seems you want to drop upstream IP packets if source IP address does
not match source MAC address. And you have static table of IP-MAC pairs.
There are two cases where MAC address is relevant: Ethernet and PPPoE.
You can set static ARP entries to map IP address to MAC address on L3
switch (e.g. on Ethernet router) . This will ensure that downstream
traffic is always sent to correct Ethernet host. You can also enable
"source IP address verification" on L3 switch subscriber faced
interfaces (for example, Cisco calls this "IP Source Guard"). This will
drop upstream IP packets with incorrect source IP address. No RADIUS
interaction required, all is configured statically on L3 switch.
You can send packet filter that drops upstream packets with source IP
address that is different from assigned one on PPPoE server in RADIUS
Access-Accept. For example, using standard NAS-Filter-Rule attribute
(your PPPoE server may support vendor-specific packet filters only):
update reply {
NAS-Filter-Rule += "permit in ip assigned any"
NAS-Filter-Rule += "permit out ip any assigned"
NAS-Filter-Rule += "deny in ip any any"
NAS-Filter-Rule += "deny in ip any any"
}
On 29.05.2013 21:45, Renan Rodrigues wrote:
HI Everyone!
There is something I am trying to do with radius and can't find how.
(One month googling and nothing done...)
What I want is to authenticate my users with their MAC and IP-ADDRESS,
so, even if they have root-access to their systems, they can't change
their IP-ADDRESS by themselves, because radius is going to reject then.
Until now, I have a radius mac-authenticating and working together with
dhcpd. I've tried to use ip-pool, that works, but someone still can
change ip-address by hand and keep networking....
So, it is possible to work this out?
Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
