PEAP and Huntgroup-Name
Nicolas Boullis
nicolas.boullis at ecp.fr
Tue Jul 7 12:15:23 CEST 2009
Hello,
I'm using Freeradius 2.0.4 from the package in Debian Lenny for WPA (for
wifi) and 802.1x (for wired ethernet) authentication and authorization.
They use PEAP/MSchapv2 for authentication.
Most users are in LDAP and are allowed to connect either to wired
ethernet or to wifi.
But I also have to deal with some "guest" users, whose usernames all
begin with the "guest/" prefix, who are in a SQL database, and who only
should be allowed to connect to wifi.
Currently, the relevant part of my users file is:
| DEFAULT Huntgroup-Name == ap, Prefix == "guest/", Autz-Type := GUEST
| Fall-Through = No
|
| DEFAULT Autz-Type := DEFAULT
The trouble is the inner request has no NAS-IP-Address, so the
Huntgroup-Name is not set and does not match.
Running freeradius -X shows that the Huntgroup-Name condition is
correctly verified for the outer request, but not for the inner one.
And if I remove the Huntgroup-Name condition, everything works fine, but
the guest users are allowed to connect to wired ethernet.
Is there a way I can test the outer Huntgroup-Name in my users file?
Regards,
--
Nicolas Boullis
Ecole Centrale Paris
More information about the Freeradius-Users
mailing list