On Apr 22, 2019, at 12:10 PM, Sudheer S <sudheer@techchorus.net> wrote:
I am using Freeraidius and I want to restrict users to their own devices.
I have inserted the Mac addresses of the users in radcheck table with the attribute Calling-Station-Id. Here's an example:
SELECT * FROM radcheck; id | username | attribute | op | value -------+------------+--------------------+----+-------------- 23175 | testuser01 | Cleartext-Password | := | password 23177 | testuser01 | Calling-Station-Id | := | aabbccddeefa 23178 | testuser01 | Calling-Station-Id | := | aabbccddeeff
In this case, the user testuser01 has two devices. aabbccddeefa and aabbccddeeff are their respective mac addresses.
No. Read the Wiki for rlm_sql to see how it works. You're using the ":=" operator, which means you're *setting* the Calling-Station-Id, not *checking* it.
In the authorize section, I have this snippet:
if (Calling-Station-Id != "%{sql: SELECT value FROM radcheck WHERE username='%{User-Name}' AND value='%{Calling-Station-Id}'}") {
If you have custom queries, then you should use a custom schema. Using the standard schema to do non-standard things is just bad.
reject update reply { Reply-Message = "Unauthorized device" } }
This setup works.
I was wondering whether this is an acceptable way to restrict users to their own devices.
Initially, I assumed Freeradius would restrict the users based on Calling-Station-Id in radcheck table. But when I tested, my assumption was wrong.
Yes, the server works as documented. And this *is* documented.
Therefore, I put up the unlang. Please advise on best practices to handle such requirements.
Create a custom table for custom queries. Alan DeKok.