On Wed, 2017-08-09 at 10:41 -0300, Alejandro Cabrera Obed wrote:
Dear Matthew, thanks for yor response. Maybe I have to update from Freeradius 2.x to 3.x, in order to have more benefits like the one I want.
You don't need to for what you want to do, but you should do so in the long run. There isn't much interest here in version 2 any more, it's end of life. Version 4 is in the works, and version 3 has been out for nearly four years now.
After reading your explanation, I understand I have to edit the users file with a line like "bob Called-Station-SSID != 'SSID1', Auth-Type := Reject" for each user that have to access to the WiFi service...so If I have 500 users, I will have a lot of work because I have to replicate all the AD users in the Freeradius "users" file. These 500 users are in our Active Directory service that Freeradius authenticate to.
OK, I missed the bit where you said AD...
So is there any manner to validate user / SSID against the AD in place of the "users" local file????
Configure the ldap module to do group lookups against AD. If you add people into AD groups, let's say one per SSID, then you could look up the group based on the SSID they are trying to join. See the LDAP documentation on how to use the Ldap-Group virtual attribute, e.g. http://wiki.freeradius.org/modules/Rlm_ldap#group-support Then compare this to the SSID. Depending on how many SSIDs you have you might want to do a files lookup to get the group name from the SSID, or just hardcode it in unlang. Along the lines of if (Called-Station-SSID == "SSID1" and !(Ldap-Group == "group-ssid- one")) { reject } etc. -- Matthew