Freeradius for several services

Alan DeKok aland at deployingradius.com
Thu Mar 22 14:05:17 CET 2012


David Seira wrote:
> I want to use the same freeradius server for authenticate several
> services like L2TP VPN, PPPoE server, captive portal, etc... 

  Normally, you just create user accounts.  Everyone can log in from
everywhere.

> I would like to know what is the best way to achieve it. I don't know if
> it is best using several virtual servers, one per service, or through
> the called-station-id with the same virtual server. Is it possible to
> evaluate a request based on the NAS' called station id (regardless the
> user/pass)?

  Yes.

> In the above example, when the user1 try to login into the captive
> portal the freeradius should send an access-reject. Which is the best way?

  Use groups.  Put the users into groups, based on what they're allowed
to access.  Then, check the groups.  See the rlm_sql documentation for
how to do groups in SQL.

  Then, create logic saying "if NAS X and not group X, reject".

  The most important thing is getting the logic correct.  Write down
what you want to do.  Write down which fields of the RADIUS packet you
want to look at.  Worry about the syntax of the configuration files as
the *last* thing.

  Alan DeKok.


More information about the Freeradius-Users mailing list