Serving multiple groups of users

Marcus Ng marcus.ng at assuritz.com
Wed Aug 20 21:32:17 CEST 2014


Hi,

1. If I create 2 sql named instances, and each one has num_sql_socks = 5,
does that mean the total number of sql connections is 10? I don't really
want that because the only difference between the 2 named instances will
only be in the sql queries.


2. Or, can I use radgroupcheck to check for listening IP and port of the
radius server instead?
I.e. to check the incoming connection has the correct Packet-Dst-IP-Address
and Packet-Dst-Port?

3. Alternately, can I create a new attribute, say  Radius-EndPoint =
"%{Packet-Dst-IP-Address}:%{Packet-Dst-Port}" and use that in radgroupcheck
to check for listening IP and port of the radius server?

Thanks,
-Marcus

-----Original Message-----
From: freeradius-users-bounces+marcus.ng=assuritz.com at lists.freeradius.org
[mailto:freeradius-users-bounces+marcus.ng=assuritz.com at lists.freeradius.org
] On Behalf Of A.L.M.Buxey at lboro.ac.uk
Sent: Monday, August 18, 2014 6:24 AM
To: FreeRadius users mailing list
Subject: Re: Serving multiple groups of users

Hi,

> This is my use case. I have 2 dept: A & B. I want to provide 
> WPA2-Enterprise to both dept A & B, who have different groups of end 
> users. But I do not want them to mix, i.e.
> 
> If a end user from dept A tries to connect to a Wifi AP that belongs 
> to dept A, the authentication would be successful.
> If a end user from dept A tries to connect to a Wifi AP that belongs 
> to dept B, the authentication would fail.

yes, this is very common

> I can create 2 virtual servers and point the group of Wifi AP from 
> Dept A to virtual server 1 and dept B to Virtual Server 2. But how 
> would the virtual server knows which authentication to allow and which 
> to block? From what I understand, the 2 virtual servers will share the 
> same sql module. That is my dilemma.

errr. nope. they can have totally different logic - and you need to look at
named instances of eg SQL module - you've just got sql - you can have
'groupA-sql' and 'groupB-sql' each looking at a different database

> Method 1. Taking advantage of the fact that all wifi AP of a dept will 
> point to a particular virtual server, I modify the 
> authorize_check_query to use the listening address/port of the virtual 
> server as a selection criteria

in fact, you dont need to listen on different ports - use the
'virtual_server'
directive in clients.conf so requests from those APs (based on IP address)
go to a different virtual server.

alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list