Restricting users to their own devices

Sudheer S sudheer at
Mon Apr 22 18:10:43 CEST 2019


I am using Freeraidius and I want to restrict users to their own devices.

I have inserted the Mac addresses of the users in radcheck table with 
the attribute Calling-Station-Id. Here's an example:

SELECT * FROM radcheck;
   id   |  username  |     attribute      | op |    value
  23175 | testuser01 | Cleartext-Password | := | password
  23177 | testuser01 | Calling-Station-Id | := | aabbccddeefa
  23178 | testuser01 | Calling-Station-Id | := | aabbccddeeff

In this case, the user testuser01 has two devices. aabbccddeefa and 
aabbccddeeff are their respective mac addresses.

In the authorize section, I have this snippet:

if (Calling-Station-Id != "%{sql: SELECT value FROM radcheck WHERE 
username='%{User-Name}' AND value='%{Calling-Station-Id}'}") {
         update reply {
          Reply-Message = "Unauthorized device"

This setup works.

I was wondering whether this is an acceptable way to restrict users to 
their own devices.

Initially, I assumed Freeradius would restrict the users based on 
Calling-Station-Id in radcheck table. But when I tested, my assumption 
was wrong. Therefore, I put up the unlang. Please advise on best 
practices to handle such requirements.


Sudheer S

More information about the Freeradius-Users mailing list