Cisco AV Pair
Phil Mayers
p.mayers at imperial.ac.uk
Tue Jul 29 18:05:26 CEST 2014
On 29/07/2014 16:47, Dan Fleming wrote:
> I have noticed called-station-id also contains the SSID. Is there any
> way to check this attribute in bulk so I dont have to add this check to
> everyuser. If the user is connecting to the wrong ssid I would like to
> deny them.
Best option is:
1. Define a local attribute in raddb/dictionary. Please read the
comments about attribute numbering, but something like
ATTRIBUTE My-SSID 3001 string
2. Parse the Called-Station-Id into that with unlang:
authorize {
if (Called-Station-Id =~ /(.+):(.+)/) {
update request {
Called-Station-Id := "%{1}"
My-SSID = "%{2}"
}
}
...
}
3. Write whatever policy you want re: SSIDs e.g.
authorize {
...
if (My-SSID == "staff") {
if (Ldap-Group == "staff") {
}
else {
reject
}
}
...
}
More information about the Freeradius-Users
mailing list