On May 25, 2015, at 10:41 AM, Ben Humpert <ben@an3k.de> wrote:
This allows me to connect to a switch (which doesn't cause the creation of Called-Station-Ssid) but also to an access point. However, it does not prevent me connecting to a forbidden SSID. If I use == in the check item it actually does prevent me from connecting to a forbidden SSID but also from connecting through switches.
The users file isn't well suited for complex policies.
So, should I use a regex in the "users" file for each user entry or should I do this with a policy using unlang?
Keep the users file simple.
And if using unlang is advised - I think using groups is the better approach than hardcoding usernames into the code - how do I create groups which contain a) the usernames that are part of that group and b) one or more Called-Station-Ssid entries the user is allowed to connect to?
See raddb/modules/etc_group, and "man rlm_passwd". The process of creating groups is documented for precisely this reason. :)
I thought about arrays but I couldn't find infos if it's supported or how it's used. I actually have a perfectly working unlang code for doing what I want to achieve but that checks LDAP and I want to get rid of it since it's kind of an overkill for just assigning users into groups.
Use the groups to set the list of allowed SSIDs as a new attribute, "Allowed-SSID". Have a special one for "no SSID". Then in "unlang" if ((!Called-Station-Ssid && (Allowed-SSID == "no-SSID")) || (Allowed-Station-SSID == "%{Called-Station-Ssid}")) { ... set VLANs ... } else { reject } Something like that should work. Alan DeKok.