[RADIATOR] Checking if attribute is within an IP subnet
daniel.herrmann at zv.fraunhofer.de
daniel.herrmann at zv.fraunhofer.de
Thu Mar 2 12:33:09 UTC 2017
Hello Hugh,
> On 02.03.17, 05:24 "Hugh Irvine" hugh at open.com.au wrote:
> Probably the simplest way to do this is with a PostSearchHook.
maybe I understood you wrong, but I am not sure how this will help. I could do the IP address check in the hook, If I understood correctly, the RADIUS request will be passed to the hook. Two questions however remain:
In summary, the overall logic should look like this:
User is authenticated against local fallback user store
Permit
User is member of VPN AD group and student AD group:
If source-ip in range
Permit
else
Deny
endif
User is member of OOB VPN group:
Permit
Else
Deny
Two questions:
- I understand that the “if source-ip”… part can be done in the Post Search Hook. How would I return a value such that the request will be denied?
- How can I check if a user is member of two groups and only then check the IP address?
Thanks again and best regards
Daniel
More information about the radiator
mailing list