How to Restrict All Users from Certain APs

Fajar A. Nugraha list at fajar.net
Thu Jan 26 00:55:03 CET 2012


On Thu, Jan 26, 2012 at 4:37 AM, White III, Joe <Joe.White at arvatousa.com> wrote:
>> Generally, you can only do this is if the requests from those "certain
>> APs" have something which distinguishes them. Then you can match on this
>> in the users file [using 'DEFAULT'] and set Auth-Type to Reject.
>
>
> If I have three access points I don't want users to access, can I do something like below?
>
> +-----+------------------+----------------+-------+-------+-----------+
> | id  | nasname          | shortname      | type  | ports | secret    |
> +-----+------------------+----------------+-------+-------+-----------+
> | 136 | 172.18.100.8     | ap-2000-cd6    | other |  NULL | letmelook |
> |  11 | 172.18.100.4     | ap2000-cd-2    | other |  NULL | letmelook |
> |  10 | 172.18.100.5     | ap2000-cd-3    | other |  NULL | letmelook |
>
>
> DEFAULT shortname == ap-2000-cd6, Auth-type := reject,
>        Fall-Through = yes
>
> DEFAULT shortname == ap2000-cd-2, Auth-type := reject
>        Fall-Through = yes
>
> DEFAULT shortname == ap2000-cd-3, Auth-type := reject

Not sure.

In FR-2.x you should be able to use

DEFAULT Client-Shortname == ap-2000-cd6, Auth-type := reject,
       Fall-Through = yes

... or create some unlang policy using the variable
"%{Client-Shortname}". But AFAIK unlang is 2.x, so I'm not sure
whether the attribute is also filled in FR-1.x.

I highly suggest you upgrade. Which OS/distro do you use? Most linux
distros (even the "ancient" centos5 or ubuntu hardy) have a
ready-to-use FR2 package.

-- 
Fajar




More information about the Freeradius-Users mailing list