[RADIATOR] Checking if attribute is within an IP subnet

daniel.herrmann at zv.fraunhofer.de daniel.herrmann at zv.fraunhofer.de
Thu Mar 2 12:33:09 UTC 2017


Hello Hugh,

> On 02.03.17, 05:24 "Hugh Irvine" hugh at open.com.au wrote:
> Probably the simplest way to do this is with a PostSearchHook.
    
 maybe I understood you wrong, but I am not sure how this will help. I could do the IP address check in the hook, If I understood correctly, the RADIUS request will be passed to the hook. Two questions however remain:

In summary, the overall logic should look like this:

User is authenticated against local fallback user store
     Permit
User is member of VPN AD group and student AD group:
     If source-ip in range
             Permit
     else
             Deny
     endif
User is member of OOB VPN group:
      Permit
Else
      Deny

Two questions:
 
- I understand that the “if source-ip”… part can be done in the Post Search Hook. How would I return a value such that the request will be denied?
- How can I check if a user is member of two groups and only then check the IP address?

Thanks again and best regards
Daniel



More information about the radiator mailing list