User login restrictions based on SSID
I'm trying to set login restrictions based on SSID. For example users in Sales Group should only connect a particular SSID, etc.. and Support Team should be able to login to any SSID. We have Aruba Controller, which provide SSID in Aruba-Essid-Name attribute in Access-Request and using daloradius for user management. First i've tried the following to get this working without adding any sql code; "Aruba-Essid-Name := ssid_name" in User Group Check attributes - didn't work "Aruba-Essid-Name := ssid_name" in User Check attributes - didn't work And finally using the 'address' column in 'userinfo' TABLE to store SSID info. And have put the following in authorize {} sites-enabled/default ; if ("%{sql:SELECT COUNT(*) FROM userinfo WHERE userinfo.username= '%{User-Name}' AND userinfo.address= '%{Aruba-Essid-Name}'} >0") { ok } else { reject } sql No mater which SSID, i'm able to connect. Thanks, Eby
On May 23, 2016, at 8:03 AM, Eby Mani via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I'm trying to set login restrictions based on SSID. For example users in Sales Group should only connect a particular SSID, etc.. and Support Team should be able to login to any SSID. We have Aruba Controller, which provide SSID in Aruba-Essid-Name attribute in Access-Request and using daloradius for user management.
First i've tried the following to get this working without adding any sql code;
"Aruba-Essid-Name := ssid_name" in User Group Check attributes - didn't work "Aruba-Essid-Name := ssid_name" in User Check attributes - didn't work
Se the FAQ for "it doesn't work". Such messages are content-free, and there is really no reason to post them to the list.
And finally using the 'address' column in 'userinfo' TABLE to store SSID info.
And have put the following in authorize {} sites-enabled/default ;
if ("%{sql:SELECT COUNT(*) FROM userinfo WHERE userinfo.username= '%{User-Name}' AND userinfo.address= '%{Aruba-Essid-Name}'} >0") { ok } else { reject }
sql
No mater which SSID, i'm able to connect.
If only there was some kind of debug log, where you could see what the server was doing. Alan DeKok.
Hi,
I'm trying to set login restrictions based on SSID. For example users in Sales Group should only connect a particular SSID, etc.. and Support Team should be able to login to any SSID. We have Aruba Controller, which provide SSID in Aruba-Essid-Name attribute in Access-Request and using daloradius for user management.
First i've tried the following to get this working without adding any sql code;
"Aruba-Essid-Name := ssid_name" in User Group Check attributes - didn't work "Aruba-Essid-Name := ssid_name" in User Check attributes - didn't work
First off, check : http://wiki.freeradius.org/config/Operators The := is an "assignement" sort of thing, as a check item it always returns true. If you use "==" in the "User Check attributes ", I think it'll do what you want (could depends on a lot of other stuff in your config). Because the user check won't match and so the "Clear-Text-Password" assignment won't be done and without password set, the MSCHAPv2 will fail. Cheers, Sylvain
participants (3)
-
Alan DeKok -
Eby Mani -
Sylvain Munaut