2015-05-25 17:09 GMT+02:00 Alan DeKok <aland@deployingradius.com>:
On May 25, 2015, at 10:41 AM, Ben Humpert <ben@an3k.de> wrote:
This allows me to connect to a switch (which doesn't cause the creation of Called-Station-Ssid) but also to an access point. However, it does not prevent me connecting to a forbidden SSID. If I use == in the check item it actually does prevent me from connecting to a forbidden SSID but also from connecting through switches.
The users file isn't well suited for complex policies.
So, should I use a regex in the "users" file for each user entry or should I do this with a policy using unlang?
Keep the users file simple.
That's exactly what I secretly hoped :)
And if using unlang is advised - I think using groups is the better approach than hardcoding usernames into the code - how do I create groups which contain a) the usernames that are part of that group and b) one or more Called-Station-Ssid entries the user is allowed to connect to?
See raddb/modules/etc_group, and "man rlm_passwd". The process of creating groups is documented for precisely this reason. :)
Awesome! Thank you very much for pointing me to these. I hoped for something like this.
I thought about arrays but I couldn't find infos if it's supported or how it's used. I actually have a perfectly working unlang code for doing what I want to achieve but that checks LDAP and I want to get rid of it since it's kind of an overkill for just assigning users into groups.
Use the groups to set the list of allowed SSIDs as a new attribute, "Allowed-SSID". Have a special one for "no SSID". Then in "unlang"
/etc/freeradius/mods-enabled/groups passwd groups { moddir = ${modconfdir}/${.:instance} filename = ${moddir}/authorize format = "Group-Name:,Allowed-SSID:*,User-Name" hash_size = 50 ignore_nislike = yes allow_multiple_keys = yes delimiter = ":" } /etc/freeradius/mods-config/groups/authorize #Group-Name:Allowed-SSID:User-Name Base:base,small:Sony VAIO,Ben Small:small:Mike,Tim Large:large:Anastacia
if ((!Called-Station-Ssid && (Allowed-SSID == "no-SSID")) || (Allowed-Station-SSID == "%{Called-Station-Ssid}")) { ... set VLANs ... } else { reject }
Something like that should work.
I tried that but somehow I can't get it working. I know PHP so if-then-else stuff is not a problem at all but I have a problem reading the Attribute so I can compare it with %{Called-Station-Ssid}. I tried it with %{Allowed-SSID}, %Allowed-SSID, &Allowed-SSID, Allowed-SSID and stuff like %{config:Allowed-SSID} or %{config:modules.groups.Allowed-SSID} and in the debug log I see groups: Added Allowed-SSID: 'base,small' to config_items so I should be able to %{config:Allowed-SSID} == %{Called-Station-Ssid} but the attribute is always empty or I get "Config item "Allowed-SSID" does not exist". I also got the following warning Mon May 25 21:18:22 2015 : Warning: /etc/freeradius/policy.d/access[3] Please change %{Called-Station-Ssid}} to &Called-Station-Ssid} so what is the difference between %{Attribute-Name} and &Attribute-Name ? It's hard to google for just these special chars. I somehow feel stupid, just a little bit but still beyond acceptance :) and I hate asking for help but I can't solve this on my own. Thanks very much!