How to configure a freeradius server to require NAS-IP-Address attribute?

Question 1

How to configure a freeradius server to require NAS-IP-Address attribute?

freeradius radius-protocol

Michael · Feb 21, 2014 · Viewed 8.9k times · Source

Answer

Answer

Sure, there are many ways of doing this.

authorize {
   if (!NAS-IP-Address) {
       reject
   }

   if (NAS-IP-Address != 192.168.0.2) {
      reject
   }

   if ("%{sql:SELECT count(*) FROM table WHERE User-Name = '%{User-Name}' AND IP-Address = '%{NAS-IP-Address}'" == 0) {
      reject
   }
}

In v3.0.x subnet matching is also supported, where < > are reassigned to mean the set operators (< subset of) (> superset of).

if (!(<ipv4prefix>NAS-IP-Address < 192.168.0.0/16)) {
    reject
}

NAS-IP-Address = 192.168.0.2

(0)   ? if (<ipv4prefix>NAS-IP-Address < 192.168.0.0/16) 
(0)   ? if (<ipv4prefix>NAS-IP-Address < 192.168.0.0/16)  -> TRUE

NAS-IP-Address = 192.169.0.2

(0)   ? if (<ipv4prefix>NAS-IP-Address < 192.168.0.0/16) 
(0)   ? if (<ipv4prefix>NAS-IP-Address < 192.168.0.0/16)  -> FALSE

Question 2

I want to configure a freeradius server in the way that an authentication is successful only if NAS-IP-Address attribute is not empty and equals to some specific IP (of course a user name and a password match).

How should I do it? I have tried to read the documentation without success: http://freeradius.org/rfc/attributes.html http://freeradius.org/rfc/rfc2865.html#NAS-IP-Address

How to configure a freeradius server to require NAS-IP-Address attribute?

Answer

Related questions