very long regular expression...

Norbert Grochal norboro at celpol.pl
Wed Nov 22 14:30:35 CET 2006


> > I have FreeRADIUS Version 1.1.0
> >
> > I want to disallow login to access points for every hosts that are not
> > in my network.
> >
> > So at the end of /usr/local/etc/raddb/users file I put regular
> > expression that checks if Calling-Station-Id IS NOT in list of my
hosts...
> >
> > DEFAULT Auth-Type := REJECT, Calling-Station-Id !~
> > "008012323244|002938475473|<and many other macs...>"
>
> Is there any reason you shouldn't have a separate stanza accepting each
> valid MAC address, then implicitly reject all other MAC addresses?

I accepts users using eap-peap + mysql. Logins are not the Identity but are
extracted from eap messages, so I cant use users file for auth (?). In users
file there are visible User-Name attrs that I do not use (they are not the
same as they from eap-message). My wireless cards have 3 fields: Identity,
eap login, eap password. My users can use everything in identity, but must
use correct login and password.

So users file is kind of "filter". If my host try to access network from
'incorrect' access point there is a REJECT. If accessed ap is 'correct'
there is no reject and eap-peap + mysql works for me...

Norboro




More information about the Freeradius-Users mailing list