Freeradius for several services
Hi, I want to use the same freeradius server for authenticate several services like L2TP VPN, PPPoE server, captive portal, etc... For example: NAS->PPPoE Server (11-11-11-11-11-11)
NAS->Captive portal (22-22-22-22-22-22)
In the MySQL radcheck table:
user1 Cleartext-Password := 1234
user1 Called-Station-Id := 11-11-11-11-11-11 user2 Cleartext-Password := 5678 user2 Called-Station-Id := 22-22-22-22-22-22
I would like to know what is the best way to achieve it. I don't know if it is best using several virtual servers, one per service, or through the called-station-id with the same virtual server. Is it possible to evaluate a request based on the NAS' called station id (regardless the user/pass)? In the above example, when the user1 try to login into the captive portal the freeradius should send an access-reject. Which is the best way? Thanks, David
David Seira wrote:
I want to use the same freeradius server for authenticate several services like L2TP VPN, PPPoE server, captive portal, etc...
Normally, you just create user accounts. Everyone can log in from everywhere.
I would like to know what is the best way to achieve it. I don't know if it is best using several virtual servers, one per service, or through the called-station-id with the same virtual server. Is it possible to evaluate a request based on the NAS' called station id (regardless the user/pass)?
Yes.
In the above example, when the user1 try to login into the captive portal the freeradius should send an access-reject. Which is the best way?
Use groups. Put the users into groups, based on what they're allowed to access. Then, check the groups. See the rlm_sql documentation for how to do groups in SQL. Then, create logic saying "if NAS X and not group X, reject". The most important thing is getting the logic correct. Write down what you want to do. Write down which fields of the RADIUS packet you want to look at. Worry about the syntax of the configuration files as the *last* thing. Alan DeKok.
Hi. Finally I achieved it with the huntgroups. Adding a huntgroup with a nas and then adding this huntgroup to a specific user group. Regards, David El 22 de marzo de 2012 14:05, Alan DeKok <aland@deployingradius.com>escribió:
David Seira wrote:
I want to use the same freeradius server for authenticate several services like L2TP VPN, PPPoE server, captive portal, etc...
Normally, you just create user accounts. Everyone can log in from everywhere.
I would like to know what is the best way to achieve it. I don't know if it is best using several virtual servers, one per service, or through the called-station-id with the same virtual server. Is it possible to evaluate a request based on the NAS' called station id (regardless the user/pass)?
Yes.
In the above example, when the user1 try to login into the captive portal the freeradius should send an access-reject. Which is the best way?
Use groups. Put the users into groups, based on what they're allowed to access. Then, check the groups. See the rlm_sql documentation for how to do groups in SQL.
Then, create logic saying "if NAS X and not group X, reject".
The most important thing is getting the logic correct. Write down what you want to do. Write down which fields of the RADIUS packet you want to look at. Worry about the syntax of the configuration files as the *last* thing.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
David Seira