Authentication Before Authorization

Alan DeKok aland at
Fri Sep 26 16:58:19 CEST 2014

Russell Mike wrote:
> i wish to process authentication section before authorization & then
> accounting. We want to authenticate CPE (Motorola SM) using EAP
> (working) and then authorize using MAC address from a database. if not
> found, redirect to a URL.

  That can be done in the post-auth section.  EAP uses multiple round
trips, so you *don't* want to be looking up the MAC in the DB for every
packet.  Once is good enough.

  You can just put a SELECT statement into post-auth:

post-auth {

	if ("%{sql:SELECT ...}") {
		# found
	else {
		# re-direct to URL ???

  Put the MAC into a table by itself.  There's no need to use the
standard FreeRADIUS schema.  A simpler one can be simpler.

  And RADIUS doesn't do URL redirection.  The AP has to support that.
So if the AP documentation doesn't say it does URL redirection... it's
not possible.

  That's what hotspots are for.  They can do IP layer filtering and
redirection.  It's impossible to do that in standard RADIUS.

  Alan DeKok.

More information about the Freeradius-Users mailing list