Re: Questions from a totally ignorant n00b
This is a discussion on Re: Questions from a totally ignorant n00b within the FreeRADIUS Users forums, part of the Networking and Network Related category; --===============1457223292== Content-Type: multipart/alternative; boundary="0-1371719787-1166732684=:94083" --0-1371719787-1166732684=:94083 Content-Type: text/plain; ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-21-2006
|
|||
|
|||
Re: Questions from a totally ignorant n00b
--===============1457223292==
Content-Type: multipart/alternative; boundary="0-1371719787-1166732684=:94083" --0-1371719787-1166732684=:94083 Content-Type: text/plain; charset=ascii Content-Transfer-Encoding: quoted-printable Alan,=0A Could you perhaps give me a hint about how one would go about a= llowing any user from any system (_unless_ that system is listed for the sp= ecific purpose of not allowing anyone to authenticate from it) to authentic= ate?=0A=0A =0A=0A----- Original Message ----=0AFrom: Alan DeKok <aland@d= eployingradius.com>=0ATo: FreeRadius users mailing list <freeradius-users@l= ists.freeradius.org>=0ASent: Thursday, December 21, 2006 11:47:47 AM=0ASubj= ect: Re: Questions from a totally ignorant n00b=0A=0AGene Mosley wrote:=0A>= Users are authenticating from systems that they should not be=0A> authenti= cating from - we need to block authentication on a per system=0A> (IP addre= ss) basis, not a per user basis.=0A=0A You can do this in FreeRADIUS. Put= users into different groups, and=0Ablock the group from accessing particul= ar systems.=0A=0A> Users should be allowed to authenticate from any system = that they are=0A> using _except_ a certain, specific list of IP addresses w= hich would=0A> basically be banned/blocked from authenticating.=0A=0A This= can be done, too.=0A=0A> Is this something that FreeRADIUS can do?=0A=0A = Yes.=0A=0A> I just started reading about it - and if nothing else it looks = like=0A> exec-program-wait might be used to test the IP address and return = an=0A> authentication failure?=0A=0A That will work, too, but will be less= efficient.=0A=0A Alan DeKok.=0A--=0A http://deployingradius.com - = The web site of the book=0A http://deployingradius.com/blog/ - The blog=0A= - =0AList info/subscribe/unsubscribe? See http://www.freeradius.org/list/us= ers.html=0A=0A=0A=0A=0A --0-1371719787-1166732684=:94083 Content-Type: text/html; charset=ascii Content-Transfer-Encoding: quoted-printable <html><head><style type=3D"text/css"><!-- DIV {margin:0px;} --></style></he= ad><body><div style=3D"font-family:times new roman, new york, times, serif;= font-size:12pt"><div style=3D"font-family: times new roman,new york,times,s= erif; font-size: 12pt;">Alan,<br> Could you perhaps give = me a hint about how one would go about allowing any user from any system (_= unless_ that system is listed for the specific purpose of not allowing anyo= ne to authenticate from it) to authenticate?<br><br> <br>= <br><div style=3D"font-family: times new roman,new york,times,serif; font-s= ize: 12pt;">----- Original Message ----<br>From: Alan DeKok <aland@deplo= yingradius.com><br>To: FreeRadius users mailing list <freeradius-user= s@lists.freeradius.org><br>Sent: Thursday, December 21, 2006 11:47:47 AM= <br>Subject: Re: Questions from a totally ignorant n00b<br><br><div>Gene Mo= sley wrote:<br>> Users are authenticating from systems that they should = not be<br>> authenticating from - we need to block authentication on a per system<br>&= gt; (IP address) basis, not a per user basis.<br><br> You can do= this in FreeRADIUS. Put users into different groups, and<br>blo= ck the group from accessing particular systems.<br><br>> Users should be= allowed to authenticate from any system that they are<br>> using _excep= t_ a certain, specific list of IP addresses which would<br>> basically b= e banned/blocked from authenticating.<br><br> This can be done, = too.<br><br>> Is this something that FreeRADIUS can do?<br><br> &nb= sp;Yes.<br><br>> I just started reading about it - and if nothing else i= t looks like<br>> exec-program-wait might be used to test the IP address= and return an<br>> authentication failure?<br><br> That will= work, too, but will be less efficient.<br><br> Alan DeKok.<br>-= -<br> <a target=3D"_blank" href=3D"http://deployingradius.com">http://deployingradius.com</a> &n= bsp; - The web site of the book<br> <a t= arget=3D"_blank" href=3D"http://deployingradius.com/blog/">http://deploying= radius.com/blog/</a> - The blog<br>- <br>List info/subscribe/unsubscribe? S= ee <a target=3D"_blank" href=3D"http://www.freeradius.org/list/users.html">= http://www.freeradius.org/list/users.html</a><br></div></div><br></div></di= v></body></html> --0-1371719787-1166732684=:94083-- --===============1457223292== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --===============1457223292==-- 
|
Linear Mode
