we are using two different NAS: NAS-A and NAS-B. The NAS use Radius to query privacyidea and send their addresses in the NAS-IP-Address field.
User-Group-1 should be allowed to connect to both NAS, User-Group-2 should only be allowed to connect to NAS-A.
Does the freeradius-plugin pass the NAS-IP-Address to privacyidea? Can privacyidea process the authentication / authorization decision based on this scenario. Which kind of policy would I have to configure?
Hm, I am not sure. This would take a few minutes of thinking.
All policies can be configured based on the client IP.
You need to configure privacyIDEA system settings to allow freeradius to “override authorization client”. Take a look in the online documentation for these key words.
Oh man. I don’t think this forum is for bootstrapping your complete configuration. Either you figure it out by reading the documentation or get some consultancy.
I personally dislike people running a Cisco ASA out of support and asking 20 questions to get a step by step setup. (But everyone is allowed to ask anything - it simply depends on who and when will answer).
You are asking for a rather specific configuration. You can probably set this up, but don’t ask me who.
It would take me more than two minutes to think about, and I do not tend to answer quastions that need more thinking than one minute