Re: [Help-gnu-radius] Framed-IP-Address

help-gnu-radius

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-gnu-radius] Framed-IP-Address

From:	Sergey Poznyakoff
Subject:	Re: [Help-gnu-radius] Framed-IP-Address
Date:	Fri, 04 Nov 2005 11:07:23 EET

Fletcher Mattox <address@hidden> wrote:

> That's a shame.  The NAS is a Cisco 3000 VPN Concentrator.  I want to make
> an authentication decision based on this IP address.  I notice that it
> *does* send it in an accounting packet one second later, because radiusd
> logs it in /var/log/radacct/1.2.3.4/detail, and because it appears in
> radutmp and radwtmp.  Can you think of any clever way I can use this
> information for authentication?

I'm afraid the only way to do so is to have Framed-IP-Address in the
Access-Request. It is a chicken-and-egg problem: for the NAS to send
Accounting-Request it must first receive an Access-Accept packet from
the radius server, and the latter can send it only if it knows
Framed-IP-Address, which is available only in the Accounting-Request.

Perhaps Cisco is sending some other attribute that can be used in place
of Framed-IP-Address? For example, according to RFC 2865, an
Access-Request should contain NAS-Port or NAS-Port-Type attribute. Could
these be used for your purpose?

Regards,
Sergey

[Prev in Thread]

Current Thread

[Next in Thread]

[Help-gnu-radius] Framed-IP-Address, Fletcher Mattox, 2005/11/03
- Re: [Help-gnu-radius] Framed-IP-Address, Sergey Poznyakoff, 2005/11/03
  - Re: [Help-gnu-radius] Framed-IP-Address, Fletcher Mattox, 2005/11/03
    - Re: [Help-gnu-radius] Framed-IP-Address, Sergey Poznyakoff <=

Prev by Date: Re: [Help-gnu-radius] Framed-IP-Address
Next by Date: [Help-gnu-radius] [ address@hidden ] DV_AUTH_TYPE_SQL, DV_AUTH_TYPE_CRYPT_LOCAL and DV_AUTH_TYPE_LOCAL
Previous by thread: Re: [Help-gnu-radius] Framed-IP-Address
Next by thread: [Help-gnu-radius] [ address@hidden ] DV_AUTH_TYPE_SQL, DV_AUTH_TYPE_CRYPT_LOCAL and DV_AUTH_TYPE_LOCAL
Index(es):
- Date
- Thread