multi ssid use multi radcheck

Brian Candler b.candler at pobox.com
Thu Mar 23 09:43:26 CET 2017


On 23/03/2017 05:34, gh.li at microshield.com.cn wrote:
> I have extented radcheck tables with field user_ssid,so the records like:
>
> and change the authorize_check_query  statement to:
> "SELECT id, username, attribute, value, op FROM ${authcheck_table} WHERE username = '%{SQL-User-Name}'  and  ssid='%{Aruba_Essid_Name}'  ORDER BY id"
>
> but I donot get the correct sql statement:
> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'emp'  and  ssid=''  ORDER BY id
Are you sure the incoming request contains an "Aruba_Essid_Name" 
attribute? According to the dictionary I have here, it should have 
dashes and not underscores:

share/dictionary.aruba:ATTRIBUTE    Aruba-Essid-Name            5 string

However, there's a better way to do what you're doing: separate 
authentication (who you are) from authorization (what you are allowed to 
do).

In the sql tables, you can do this using groups.

(1) Make each of your employee accounts members of an 'employee' group 
(insert into the usergroup_table which is by default called "radusergroup")

(2) Add your authorization rules into unlang, in a policy entry called 
from your authorize{} or post-auth{} section

wireless_authz {
     if (&Aruba-Essid-Name == "SSID-EMP" && not (&SQL-Group[*] == 
'employee')) {
         reject
     }
}

(It might be possible to hack something together using the radgroupcheck 
table, but the unlang approach is simple and explicit)

HTH,

Brian.


More information about the Freeradius-Users mailing list