Freeradius Restrict User Auth Request Based on VLAN

Nathan Ward lists+freeradius at daork.net
Wed Jan 17 10:26:18 CET 2018



> On 17/01/2018, at 10:15 PM, Alan DeKok <aland at deployingradius.com> wrote:
> 
> On Jan 17, 2018, at 2:12 AM, JAHANZAIB SYED <aacable at hotmail.com> wrote:
>> 
>> We have Mikrotik as NAS and Freeradius as billing. VLAN are configured for each dealer's area. We have few reseller/franchise managers, like Dealer-A, Dealer-B. They can create there own users in freeradius using fronted designed in php. All dealers can view/edit there own users only.
>> 
>> Sometimes it happens that Dealer-A creates ID and give it to a user/friend who is sitting in Dealer-B network, therefore from Billing perspective its a Loss of Dealer-B.
>> 
>> Can we impose some restriction so that User-ID's created by each dealer should be able to connect only from his network (or from there own VLAN) only.
> 
>  Sure.  You need to update your DB schema and queries tho.
> 
> - put the NASes into groups (dealer-A, dealer-B, etc.)
> - ensure that the users are somehow associated with different dealers
> - on login, look up dealer of NAS (call this NAS-dealer)
> - on login, lookup dealer of user (call this User-Dealer)
> - if User-dealer != NAS-dealer, then reject
> 
>  More details can't be given, because your question is very high level.

Been meaning to reply to this one. It sounds like the OP has NASes (or maybe just one NAS) shared across many dealers, with one VLAN per dealer. I agree though, it is not very clear.

I would suggest looking at the NAS-Port-Id attribute and see if you can use that to figure out the VLAN interface that the subscriber comes in on - whether that works or not depends on your NAS, and I imagine the protocol - Mikrotik docs suggest that this would work for PPPoE and hotspot. You can also set “realm” per RADIUS client, and set a RADIUS client per PPPoE server. This will send the Mikrotik-Realm attribute.

You can add checks for the correct “NAS-Port-Id” or “Mikrotik-Realm” in the radcheck table.

--
Nathan Ward




More information about the Freeradius-Users mailing list