restricting users access to clients?

John T. Guthrie guthrie at counterexample.org
Thu Mar 15 03:27:25 CET 2007


On Wed, 2007-03-14 at 16:08 -0300, Matt Ashfield wrote:
> Ok, the users file it is! Thanks!
> 
> I guess I was hoping for a link to an example of some sort. Because the user
> who would be given access is not explicitly defined in the users file (the
> users is defined in LDAP), I'm not sure how to setup a rule for that person.
> 
> Thanks again,
> 
> Cheers
> 
> Matt
> mda at unb.ca 

You would want to use the special username DEFAULT.  (Check the man page
for users(5).)

What I did (although this might be slightly hackish.) is I took a look
at the attributes in the request that was being sent by the supplicant.
I looked for attributes that were different between the wireless users
and the network equipment users.  For example, you might want to do
something like:

"admin1"  NAS-Port-Type == "Virtual", Auth-Type = LDAP

"admin2"  NAS-Port-Type == "Virtual", Auth-Type = LDAP

# This matches everyone else
DEFAULT   NAS-Port-Type == "Virtual", Auth-Type := Reject

# This will match all wireless users
DEFAULT   NAS-Port-Type == "Wireless-802.11", Auth-Type = LDAP

Of course, this will mean that your network admins will *only* be able
to login via LDAP.  You may need to configure some kind of Fall-Through
if you want users to authenticate using some other mechanism in addition
to LDAP.  So this is not without its limitations, but this should give
you some ideas to start from.

-- 
John Guthrie
guthrie at counterexample.org



More information about the Freeradius-Users mailing list