v3.0.10: how to specify allowed SSID list in users file?
Franta Hanzlík
franta at hanzlici.cz
Mon Nov 14 12:44:40 CET 2016
Hi Alan,
thanks for Your feedback. Apparently I somehow not fully understand
freeradius documentation (sorry, my english is poor).
On Mon, 14 Nov 2016 09:44:02 +0000
A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>
> > I want authenticate WiFi users on freeradius-3.0.10. AP provides several
> > SSIDs and I want certain users to be able connect just to certain SSIDs.
> > Users are few, and I want for AAA use files module. My idea is use
> > notation something like this (in users file mods-config/files/authorize):
> >
> > tom Cleartext-Password := "to", Wifi-Allowed = "SSID1,SSID2"
> > pepa Cleartext-Password := "pp", = "SSID1"
> > petr Cleartext-Password := "pe", Wifi-Allowed = "SSID3"
> >
> > and then test it in default server "authorize" section somewhere after
> > "files" module specification with unlang code something as:
>
> you've got this slightly mixed up. the above lines in files
> are CHECK items.....so when the request hits the files module it will be looking
> to see that all those items match. they wont as Wifi-Allowed is a construct
> that you have made.....and hasnt been set yet.....
>
> if you run in debug mode and take time to read the output and logic you
> will see what is happening
What I want (and think so it should be good), "Wifi-Allowed" should be my
own internal (control) attribute (not check nor reply item). And according
to "=" operator description in
"Use with 'check' items (users et al), or in unlang conditions"
column at:
https://wiki.freeradius.org/config/Operators
"...
It is allowed for server configuration attributes (Auth-Type, etc),
and sets the value of on attribute, only if there is no other item
of the same attribute."
I think "server configuration attributes" here mean "control" attribute.
And assigning value in this way, my "Wifi-Allowed" attribute will be
automatically included among the control attributes.
Or it isn't true?
How I then define and set own control attribute?
"server configuration attribute" is somethin different than "control
attribute"?
> > switch &Called-Station-SSID {
> > case "SSID1" {
> > if (&control:Wifi-Allowed =~ /.*SSID1.*/ ) {
> > ok
> > } else {
> > reject
> > }
> > }
> > case "SSID2" {
> > if (&control:Wifi-Allowed =~ /.*SSID2.*/ ) {
> > ok
> > } else {
> > reject
> > }
> > }
>
> so...for this to work I think all you need to do is slip the 'Wifi-Allowed' value to be a reply item
> in the users file....and then change your unlang to &reply:Wifi-Allowed instead of control eg
>
> pepa Cleartext-Password := "pp"
> Wifi-Allowed = "SSID1"
>
> switch &Called-Station-SSID {
> case "SSID1" {
> if (&reply:Wifi-Allowed =~ /.*SSID1.*/ ) {
> ok
> } else {
> reject
> }
> }
>
>
>
>
>
>
> or somesuch..... there are better ways of doing this but if you're invested in this route then that should
> get you going
Please can You at least suggest what better ways do you think?
Somethink without using "users" file?
I want to use this because to AP is connected to only a few users
and their access data will change infrequently. Set up some other
authentication service (SQL, LDAP) and an interface for controlling
it - it seems to me as unnecessarily complex. And use unix (or rather
PAM) seems to me inappropriate also - on Linux server, where freeredius
is, run other things unrelated to WiFi users.
>
>
> alan
--
S pozdravem
František Hanzlík
Luční 502 Linux/Unix/LAN/Internet Tel: +420-372-222302
33209 Štěnovice e-mail:franta at hanzlici.cz Fax: +420-372-222302
Czech Republic http://hanzlici.cz/ GSM: +420-604-117319
Tento mail neobsahuje viry, byl odeslán z operačního systému Linux
More information about the Freeradius-Users
mailing list