radius question

Brian Somers brian at freebsd-services.com
Fri Apr 5 02:03:28 BST 2002

> Hi Guys,
>         I am using ascend-radius from the 4.2 ports collection to allow
> authentication for dial-up internet access, and i was wondering if it was
> possible to lock an authenticated user so that they can only access one IP
> or a range of IPs ? If it is possible could someone point me in the right
> direction please?
> I'm finding it really hard to find any "usefull" information about the
> ascend-radius, so i hope somebody here can help.
> Kind Regards
> Tom Turrisi
> Inteleco Ltd.
> DDI: 08707 459 150
> FAX: 08707 459 200


If you check the ppp man page, you'll find the following section.  Of 
course you'll need to find out how to configure the radius server, 
but at least this should give you an idea about what you're looking 

         set radius [config-file]
             This command enables RADIUS support (if it's compiled in).
             config-file refers to the radius client configuration file as
             described in radius.conf(5).  If PAP or CHAP are ``enabled'', ppp
             behaves as a Network Access Server and uses the configured RADIUS
             server to authenticate rather than authenticating from the
             ppp.secret file or from the passwd database.

             If neither PAP or CHAP are enabled, ``set radius'' will do noth-

             ppp uses the following attributes from the RADIUS reply:

                     The peer IP address is set to the given value.

                     The tun interface netmask is set to the given value.

                     If the given MTU is less than the peers MRU as agreed
                     during LCP negotiation, *and* it is less that any config-
                     ured MTU (see the ``set mru'' command), the tun interface
                     MTU is set to the given value.

                     If the received compression type is ``1'', ppp will
                     request VJ compression during IPCP negotiations despite
                     any ``disable vj'' configuration command.

                     The received string is expected to be in the format
                     dest[/bits] gw [metrics].  Any specified metrics are
                     ignored.  MYADDR and HISADDR are understood as valid val-
                     ues for dest and gw, ``default'' can be used for dest to
                     sepcify the default route, and ``'' is understood
                     to be the same as ``default'' for dest and HISADDR for

                     For example, a returned value of `` 1 2
                     -1 3 400'' would result in a routing table entry to the
            network via HISADDR and a returned value of
                     ``'' or ``default HISADDR'' would result
                     in a default route to HISADDR.

                     All RADIUS routes are applied after any sticky routes are
                     applied, making RADIUS routes override configured routes.
                     This also applies for RADIUS routes that don't include
                     the MYADDR or HISADDR keywords.

             Values received from the RADIUS server may be viewed using ``show

Brian <brian at freebsd-services.com>                <brian at Awfulhak.org>
      http://www.freebsd-services.com/        <brian@[uk.]FreeBSD.org>
Don't _EVER_ lose your sense of humour !      <brian@[uk.]OpenBSD.org>

More information about the Ukfreebsd mailing list