limiting login for particular purpose
Matthew Newton
mcn4 at leicester.ac.uk
Sun May 22 17:54:50 CEST 2016
On Sun, May 22, 2016 at 12:49:09AM +0200, dump at gmx.info wrote:
> I want to add a small administration page and I want to use radius via
> php too for authentication of the admin. But I want to ensure that the
> administration account can only be used for login into the
> administration section and not for login into the WiFi-net.
>
> I don't want to use realms for this purpose. I thought using the
> Auth-Type directive in the radcheck or radgroupcheck table and
> forbidding EAP authentication could be a possibility. But I don't know
> how to arrange this.
>
> Does somebody have some hints or another possibility for achieving the
> described above?
Look at the wireless auth packets and the web site auth packets.
Find some difference between them (missing Calling-Station-Id,
differnet NAS-IP-Address, Service-Type etc) and either put
radcheck entries to reject the connection for those, or just use
unlang to reject in the case you don't want to allow access.
e.g.
if (&NAS-IP-Address != "10.11.12.13" && User-Name == "webadmin") {
reject
}
http://freeradius.org/radiusd/man/unlang.html
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list