limiting Authentication based on the NAS
Phil Mayers
p.mayers at imperial.ac.uk
Thu Nov 8 13:51:47 CET 2007
On Thu, 2007-11-08 at 07:40 -0500, Terry Pelley wrote:
> Sorry, First posting contained no subject header.
> This is a repost.
>
> I want to be able to specify which Wireless Access Points certain
> users can gain access from.
>
> Is there an attribute that I can set so that a user can only be
> authenticated if the request comes from a predetermined NAS or group
> of NASs?
Not a specific attribute, but there are lots of variations on techniques
that can do this. Most basic:
1. Put WAPs into huntgroups
2. In the users file, do:
# let user1 in group1
user1 Huntgroup-Name == "group1"
Fall-Through = No
# user2 in group2
user2 Huntgroup-Name == "group2"
Fall-Through = No
# default deny
DEFAULT Auth-Type := Reject
Slightly more complex:
1. Put the WAPs into huntgroups
2. Put the users into groups (see rlm_passwd for file-based, or use
SQL/LDAP)
3. In the "users" file:
# users in ug1 can access WAPs in wapg1
DEFAULT Huntgroup-Name == "wapg1", {My,SQL,LDAP}-Group == "ug1"
Fall-Through = No
There are many more variations using SQL and LDAP.
More information about the Freeradius-Users
mailing list