Re: Questions from a totally ignorant n00b

Gene Mosley wrote:
> Users are authenticating from systems that they should not be
> authenticating from - we need to block authentication on a per system
> (IP address) basis, not a per user basis.

You can do this in FreeRADIUS. Put users into different groups, and
block the group from accessing particular systems.

> Users should be allowed to authenticate from any system that they are
> using _except_ a certain, specific list of IP addresses which would
> basically be banned/blocked from authenticating.

This can be done, too.

> Is this something that FreeRADIUS can do?

Yes.

> I just started reading about it - and if nothing else it looks like
> exec-program-wait might be used to test the IP address and return an
> authentication failure?

That will work, too, but will be less efficient.

Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html