Serving multiple groups of users

Marcus Ng marcus.ng at assuritz.com
Sun Aug 17 21:40:35 CEST 2014


Hi,

Thanks for the suggestion but it may not solve my problems, which is to
isolate the authentication of different groups of users.

This is my use case. I have 2 dept: A & B. I want to provide WPA2-Enterprise
to both dept A & B, who have different groups of end users. But I do not
want them to mix, i.e.

If a end user from dept A tries to connect to a Wifi AP that belongs to dept
A, the authentication would be successful.
If a end user from dept A tries to connect to a Wifi AP that belongs to dept
B, the authentication would fail.

I can create 2 virtual servers and point the group of Wifi AP from Dept A to
virtual server 1 and dept B to Virtual Server 2. But how would the virtual
server knows which authentication to allow and which to block? From what I
understand, the 2 virtual servers will share the same sql module. That is my
dilemma.

I have tried to solve this through a number of ways but have not been very
successful.

Method 1. Taking advantage of the fact that all wifi AP of a dept will point
to a particular virtual server, I modify the authorize_check_query to use
the listening address/port of the virtual server as a selection criteria

	authorize_check_query = "SELECT id, UserName, Attribute, Value, Op \
	FROM ${authcheck_table} \
	WHERE Username = '%{SQL-User-Name}' \
	and ORG =(Select org from radlisten where \
	  radius_ip='%{Packet-Dst-IP-Address}' and
radius_port='%{Packet-Dst-Port}') ORDER BY id"


(Note: Yes I add a column 'Org' to table radcheck and a new table radlisten
to do this. See below).
	


\d radcheck
                                  Table "public.radcheck"
  Column   |          Type          |                       Modifiers

-----------+------------------------+---------------------------------------
----------------
 id        | integer                | not null default
nextval('radcheck_id_seq'::regclass)
 org       | character varying(64)  | not null default ''::character varying
 username  | character varying(64)  | not null default ''::character varying
 attribute | character varying(64)  | not null default ''::character varying
 op        | character(2)           | not null default '=='::bpchar
 value     | character varying(253) | not null default ''::character varying


\d radlisten
                                   Table "public.radlisten"
   Column    |         Type          |                       Modifiers

-------------+-----------------------+--------------------------------------
------------------
 id          | integer               | not null default
nextval('radlisten_id_seq'::regclass)
 org         | character varying(64) | not null default ''::character
varying
 radius_ip   | cidr                  | not null
 radius_port | integer               | not null


This works for the outer layer. But when the auth-request is passed to the
inner-tunnel, the runtime attributes %{Packet-Dst-Port} no longer holds the
original value, so the authentication fails at inner-tunnel.
  

Method 2. I thought I can capture the initial listening IP and port and pass
that info to the inner-tunnel as attributes. So I add a section in
policy.conf

    update request {
        Radius-IP = "%{Packet-Dst-IP-Address}"
        Radius-Port = "%{Packet-Dst-Port}"
    }

The attributes are added successfully. But how do I pass them to the
inner-tunnel??



Thanks!
-Marcus


-----Original Message-----
From: freeradius-users-bounces+marcus.ng=assuritz.com at lists.freeradius.org
[mailto:freeradius-users-bounces+marcus.ng=assuritz.com at lists.freeradius.org
] On Behalf Of Alan DeKok
Sent: Sunday, August 17, 2014 5:09 PM
To: FreeRadius users mailing list
Subject: Re: Serving multiple groups of users

Marcus Ng wrote:
> I would like to configure freeradius2 to have multiple listening 
> ports, with each port catering to a unique group of users.
> 
> I.e. if a user comes in through listening port 1, his credentials will 
> be checked against a subset of the radcheck.
> 
> if a user comes in through listening port 2,  his credentials will be 
> checked against a different subset of the radcheck.
>
> What is the easiest way to do that?

  Read raddb/sites-available/README.  You can use a virtual server.

  Copy the default server, and then change the port numbers in the copy.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list