brian at freebsd-services.com
Fri Apr 5 02:03:28 BST 2002
> Hi Guys,
> I am using ascend-radius from the 4.2 ports collection to allow
> authentication for dial-up internet access, and i was wondering if it was
> possible to lock an authenticated user so that they can only access one IP
> or a range of IPs ? If it is possible could someone point me in the right
> direction please?
> I'm finding it really hard to find any "usefull" information about the
> ascend-radius, so i hope somebody here can help.
> Kind Regards
> Tom Turrisi
> Inteleco Ltd.
> DDI: 08707 459 150
> FAX: 08707 459 200
If you check the ppp man page, you'll find the following section. Of
course you'll need to find out how to configure the radius server,
but at least this should give you an idea about what you're looking
set radius [config-file]
This command enables RADIUS support (if it's compiled in).
config-file refers to the radius client configuration file as
described in radius.conf(5). If PAP or CHAP are ``enabled'', ppp
behaves as a Network Access Server and uses the configured RADIUS
server to authenticate rather than authenticating from the
ppp.secret file or from the passwd database.
If neither PAP or CHAP are enabled, ``set radius'' will do noth-
ppp uses the following attributes from the RADIUS reply:
The peer IP address is set to the given value.
The tun interface netmask is set to the given value.
If the given MTU is less than the peers MRU as agreed
during LCP negotiation, *and* it is less that any config-
ured MTU (see the ``set mru'' command), the tun interface
MTU is set to the given value.
If the received compression type is ``1'', ppp will
request VJ compression during IPCP negotiations despite
any ``disable vj'' configuration command.
The received string is expected to be in the format
dest[/bits] gw [metrics]. Any specified metrics are
ignored. MYADDR and HISADDR are understood as valid val-
ues for dest and gw, ``default'' can be used for dest to
sepcify the default route, and ``0.0.0.0'' is understood
to be the same as ``default'' for dest and HISADDR for
For example, a returned value of ``22.214.171.124/24 0.0.0.0 1 2
-1 3 400'' would result in a routing table entry to the
126.96.36.199/24 network via HISADDR and a returned value of
``0.0.0.0 0.0.0.0'' or ``default HISADDR'' would result
in a default route to HISADDR.
All RADIUS routes are applied after any sticky routes are
applied, making RADIUS routes override configured routes.
This also applies for RADIUS routes that don't include
the MYADDR or HISADDR keywords.
Values received from the RADIUS server may be viewed using ``show
Brian <brian at freebsd-services.com> <brian at Awfulhak.org>
Don't _EVER_ lose your sense of humour ! <brian@[uk.]OpenBSD.org>
More information about the Ukfreebsd