[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Help-gnu-radius] Framed-IP-Address
From: |
Sergey Poznyakoff |
Subject: |
Re: [Help-gnu-radius] Framed-IP-Address |
Date: |
Fri, 04 Nov 2005 11:07:23 EET |
Fletcher Mattox <address@hidden> wrote:
> That's a shame. The NAS is a Cisco 3000 VPN Concentrator. I want to make
> an authentication decision based on this IP address. I notice that it
> *does* send it in an accounting packet one second later, because radiusd
> logs it in /var/log/radacct/1.2.3.4/detail, and because it appears in
> radutmp and radwtmp. Can you think of any clever way I can use this
> information for authentication?
I'm afraid the only way to do so is to have Framed-IP-Address in the
Access-Request. It is a chicken-and-egg problem: for the NAS to send
Accounting-Request it must first receive an Access-Accept packet from
the radius server, and the latter can send it only if it knows
Framed-IP-Address, which is available only in the Accounting-Request.
Perhaps Cisco is sending some other attribute that can be used in place
of Framed-IP-Address? For example, according to RFC 2865, an
Access-Request should contain NAS-Port or NAS-Port-Type attribute. Could
these be used for your purpose?
Regards,
Sergey