Auth by NAS-Identifier using unlang
Joseph Perrin
joseph at lifeonthestreet.org
Mon Aug 5 21:59:51 CEST 2013
I was thinking this should be easy, but it's been two weeks and I give up...
This is what I want to do: My NAS, (a WiFi AP), has two SSIDs: "staff" and
"guests". I want mutual exclusivity.
My /etc/raddb/users file contains something like this:
abc Cleartext-Password:="xyz"
Local-Group="staff"
I've created an attribute in my /etc/raddb/dictionary file:
ATTRIBUTE Local-Group 3000 string
In my /etc/raddb/sites-enabled/default file, in the authorize section, I've
got this:
if ( Local-Group != NAS-Identifier ) {
update reply {
Reply-Message := "You may not connect to %{NAS-Identifier} AP.\r\n"
}
reject
}
My access request looks something like this: (edited for brevity.)
User-Name = "abc"
NAS-IP-Address = 192.168.8.253
NAS-Port = 0
NAS-Identifier = "guests"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "..."
Called-Station-Id = "..."
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =...
State = ...
Aruba-Essid-Name = "test"
Aruba-Location-Id = "wifi"
Aruba-AP-Group = "Our WiFi"
Running radiusd -X I get:
:
++? if (Local-Group != NAS-Identifier )
(Attribute Local-Group was not found)
? Evaluating (Local-Group != NAS-Identifier ) -> FALSE
++? if (Local-Group != NAS-Identifier ) -> FALSE
:
And it's clear Local-Group is always empty. :-(
Some things I've tried:
-Moved code to post-auth section instead of authorize.
-Different attributes instead of private dictionary. (i.e. Group-Name)
-Running an executable, (actually works, but selinux appears to be a
problem?)
-Changing the test from != to == makes things work as expected, so if the
comparison will actually work, I'm good.
I'm clearly not understanding something....
-Joseph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130805/56406b46/attachment.html>
More information about the Freeradius-Users
mailing list