Re: [Help-gnu-radius] help with remote NAS's

[Sergey Poznyakoff]

> Just wondering if this is possible (and how would be nice too).  I have
> several NAS's (not under my control) that are configured to
> authenticate against my gnu-radius server.  All user auths are done via
> SQL.  What I would like to do, is restrict users of the remote NAS's to
> have a certain column marked in mysql.
[...]
> but have users that are local (NAS's under my control) which can
> authenticate w/o this being marked (therefore I don't think it could be
> put in sqlserver).  I know this could be possible by binding another

Use Auth-Data attribute in conjunction with the huntgroup entry.For example,
suppose NASes 10.10.10.1 and 10.10.10.2 are the "remote" ones (i.e. ones
outside of your control) and 172.10.0.1 is the "local" one (i.e. controlled
by you). Then, define in your raddb/huntgroup:

REMOTE NAS-IP-Address = 10.10.10.1      NULL
REMOTE NAS-IP-Address = 10.10.10.2      NULL
LOCAL  NAS-IP-Address = 172.10.0.1      NULL


In your raddb/users put the following:

DEFAULT Huntgroup-Name = REMOTE,
                Auth-Type = SQL,
                Auth-Data = "REMOTE"
        Service-Type = Framed-User

DEFAULT Huntgroup-Name = LOCAL,
                Auth-Type = SQL,
                Auth-Data = "LOCAL"
        Service-Type = Framed-User
        

Now, use Auth-Data in your auth_query to discern between the users coming
from local and remote nases, e.g.:

auth_query  SELECT password \
            FROM logininfo \
            WHERE username='%u' \
            AND active='Y' \
            ( AND '%C{Auth-Data}' = "LOCAL" OR  allow_remote='Y' )

Thus the users coming from "local" nases will be authenticated without
taking into account the 'allow_remote' column, whereas those coming
from "remote" nases will be authenticated only if they have 'allow_remote'
column set to 'Y'.

Of course, that is only an outline. You will have to suite it to your
needs.

Regards,
Sergey