0

I've got a little server running freeradius for a handful of systems that I don't have any control over the firewalling or configuration for. (i.e. I can't control what it sends to me, but I need to to work). That server has some other host authenticating to me with the same username thousands of times per day and there's nothing I can do about it, except complain, I need to serve out radius requests so good things can happen, but all the bad things are blocking the good things

Is there a way I can block radius requests by source address or by username - or whitelist?

Peter Turner
  • 2,178
  • 9
  • 33
  • 45

1 Answers1

1

You could remove the host in question from the clients.conf file. If it is part of a subnet that your OK clients live in that may be more difficult.

Alternatively, you could a) reject or b) noop the requests for that username in your virtual server config; something like:

authorize {

   ...

    if (User-Name == "bad_user") {
        #a
        # update control {
        #     Auth-Type := reject
        # }
        #or, b
        # noop
    } else {
        # process other users using
        # eap or whatever
    }
    
    ...

}

I know the reject thing would work, but I have never used noop so you'd better test this. Test both before going to production!

Jacob Degeling
  • 138
  • 5
  • `noop` literally means that - no-op: it doesn't do anything (except set return codes). Just do `if (...) { reject }` to reject the authentication. Then you don't need the `else` either. If there are loads of users, and they can't reject by just removing the client from `clients.conf`, add them to the `users` file with something like `baduser Auth-Type := reject` will save on a load of unlang - there are examples in the default `users` file. – Matthew Newton Aug 13 '22 at 17:41