PEAP and Huntgroup-Name

Nicolas Boullis nicolas.boullis at
Tue Jul 7 12:15:23 CEST 2009


I'm using Freeradius 2.0.4 from the package in Debian Lenny for WPA (for
wifi) and 802.1x (for wired ethernet) authentication and authorization.

They use PEAP/MSchapv2 for authentication.

Most users are in LDAP and are allowed to connect either to wired
ethernet or to wifi.
But I also have to deal with some "guest" users, whose usernames all
begin with the "guest/" prefix, who are in a SQL database, and who only
should be allowed to connect to wifi.

Currently, the relevant part of my users file is:

| DEFAULT Huntgroup-Name == ap, Prefix == "guest/", Autz-Type := GUEST
|         Fall-Through = No

The trouble is the inner request has no NAS-IP-Address, so the
Huntgroup-Name is not set and does not match.

Running freeradius -X shows that the Huntgroup-Name condition is
correctly verified for the outer request, but not for the inner one.
And if I remove the Huntgroup-Name condition, everything works fine, but
the guest users are allowed to connect to wired ethernet.

Is there a way I can test the outer Huntgroup-Name in my users file?


Nicolas Boullis
Ecole Centrale Paris

More information about the Freeradius-Users mailing list