limiting Authentication based on the NAS

Phil Mayers p.mayers at imperial.ac.uk
Thu Nov 8 13:51:47 CET 2007


On Thu, 2007-11-08 at 07:40 -0500, Terry Pelley wrote:
> Sorry, First posting contained no subject header.
> This is a repost.
> 
> I want to be able to specify which Wireless Access Points certain
> users can gain access from.
> 
> Is there an attribute that I can set so that a user can only be
> authenticated if the request comes from a predetermined NAS or group
> of NASs?

Not a specific attribute, but there are lots of variations on techniques
that can do this. Most basic:

 1. Put WAPs into huntgroups
 2. In the users file, do:

# let user1 in group1
user1	Huntgroup-Name == "group1"
	Fall-Through = No

# user2 in group2
user2	Huntgroup-Name == "group2"
	Fall-Through = No

# default deny	
DEFAULT	Auth-Type := Reject

Slightly more complex:

 1. Put the WAPs into huntgroups
 2. Put the users into groups (see rlm_passwd for file-based, or use
SQL/LDAP)
 3. In the "users" file:

# users in ug1 can access WAPs in wapg1
DEFAULT	Huntgroup-Name == "wapg1", {My,SQL,LDAP}-Group == "ug1"
	Fall-Through = No

There are many more variations using SQL and LDAP.






More information about the Freeradius-Users mailing list