On Sun, May 22, 2016 at 12:49:09AM +0200, dump@gmx.info wrote:
I want to add a small administration page and I want to use radius via php too for authentication of the admin. But I want to ensure that the administration account can only be used for login into the administration section and not for login into the WiFi-net.
I don't want to use realms for this purpose. I thought using the Auth-Type directive in the radcheck or radgroupcheck table and forbidding EAP authentication could be a possibility. But I don't know how to arrange this.
Does somebody have some hints or another possibility for achieving the described above?
Look at the wireless auth packets and the web site auth packets. Find some difference between them (missing Calling-Station-Id, differnet NAS-IP-Address, Service-Type etc) and either put radcheck entries to reject the connection for those, or just use unlang to reject in the case you don't want to allow access. e.g. if (&NAS-IP-Address != "10.11.12.13" && User-Name == "webadmin") { reject } http://freeradius.org/radiusd/man/unlang.html Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>