Limit login by Service

JAHANZAIB SYED aacable at hotmail.com
Fri Nov 8 10:45:44 CET 2019


Correction:

if ("%{sql: select srvtype from users where username = '%{User-Name}'}" != "%{NAS-Port-Type}") {



<http:///>
________________________________
From: Freeradius-Users <freeradius-users-bounces+aacable=hotmail.com at lists.freeradius.org> on behalf of JAHANZAIB SYED <aacable at hotmail.com>
Sent: Friday, November 8, 2019 2:40 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: Limit login by Service

@Sajad

Just to share logic, may be incorrect but In Mikrotik I see following

  *   PPPoE > NAS-Port-Type = Ethernet
  *   PPTP  > NAS-Port-Type = Virtual

Now using your users table where information is stored, you can then create query to match if user is using the allowed service type.

Users table example:

mysql> describe users;
+----------+-------------+------+-----+---------+----------------+
| Field    | Type        | Null | Key | Default | Extra          |
+----------+-------------+------+-----+---------+----------------+
| id       | int(10)     | NO   | PRI | NULL    | auto_increment |
| username | varchar(64) | NO   |     | NULL    |                |
| srvtype  | varchar(16) | NO   |     | NULL    |                |
+----------+-------------+------+-----+---------+----------------+
3 rows in set (0.00 sec)

mysql> select * from users;
# this type will allow pppoe only
+----+----------+----------+
| id | username | srvtype  |
+----+----------+----------+
|  1 | zaib     | Ethernet |
+----+----------+----------+
1 row in set (0.00 sec)

Now edit /etc/freeradius/sites-enabled/default & paste following in `Authorize` Section [look for correct syntax & braces if required]


if ("%{sql: select from users where username = '%{User-Name}'}" != "%{NAS-Port-Id}") {
update reply {
Reply-Message = 'Error: You are not allowed to connect form this VLAN !'
}
update control {
Auth-Type := "Reject"
}
}

Now try to connect to users from different type service

(9)   } # if ("%{sql: select srvtype from users where username = '%{User-Name}'}" != "%{NAS-Port-Type}")  = noop
(9)   Reply-Message = "Error: You are not allowed to connect using this service type !"
(9) Found Auth-Type = Reject
(9) Auth-Type = Reject, rejecting user
(9) Failed to authenticate the user

More info is here which I wrote about  VLAN number allowance here<https://aacable.wordpress.com/2018/01/18/freeradius-with-mikrotik-part-9-restrict-user-auth-from-allowed-vlan-only/>/link

Regards,
SYED JAHANZAIB
<http:///>
________________________________
From: Freeradius-Users <freeradius-users-bounces+aacable=hotmail.com at lists.freeradius.org> on behalf of Sajad Tahernejad <sajad at tahernejad.com>
Sent: Monday, September 2, 2019 1:55 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Limit login by Service

Hi,
I want limit connection to mikrotik nas by service , for example only
accept pptp or pppoe . I see Framed-Protocol can check PPP only , everyone
can help me to limit pptp or pppoe only ?
Thanks. Regards
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list