How to Restrict All Users from Certain APs
Fajar A. Nugraha
list at fajar.net
Thu Jan 26 00:55:03 CET 2012
On Thu, Jan 26, 2012 at 4:37 AM, White III, Joe <Joe.White at arvatousa.com> wrote:
>> Generally, you can only do this is if the requests from those "certain
>> APs" have something which distinguishes them. Then you can match on this
>> in the users file [using 'DEFAULT'] and set Auth-Type to Reject.
>
>
> If I have three access points I don't want users to access, can I do something like below?
>
> +-----+------------------+----------------+-------+-------+-----------+
> | id | nasname | shortname | type | ports | secret |
> +-----+------------------+----------------+-------+-------+-----------+
> | 136 | 172.18.100.8 | ap-2000-cd6 | other | NULL | letmelook |
> | 11 | 172.18.100.4 | ap2000-cd-2 | other | NULL | letmelook |
> | 10 | 172.18.100.5 | ap2000-cd-3 | other | NULL | letmelook |
>
>
> DEFAULT shortname == ap-2000-cd6, Auth-type := reject,
> Fall-Through = yes
>
> DEFAULT shortname == ap2000-cd-2, Auth-type := reject
> Fall-Through = yes
>
> DEFAULT shortname == ap2000-cd-3, Auth-type := reject
Not sure.
In FR-2.x you should be able to use
DEFAULT Client-Shortname == ap-2000-cd6, Auth-type := reject,
Fall-Through = yes
... or create some unlang policy using the variable
"%{Client-Shortname}". But AFAIK unlang is 2.x, so I'm not sure
whether the attribute is also filled in FR-1.x.
I highly suggest you upgrade. Which OS/distro do you use? Most linux
distros (even the "ancient" centos5 or ubuntu hardy) have a
ready-to-use FR2 package.
--
Fajar
More information about the Freeradius-Users
mailing list